From 1f814a9547842dcfabdae09573055984af9d3fab Mon Sep 17 00:00:00 2001 From: Carl Meyer Date: Wed, 9 Feb 2011 02:44:16 +0000 Subject: [PATCH] [1.2.X] Fixed security issue in AdminFileWidget. Disclosure and release forthcoming. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15471 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/admin/widgets.py | 2 +- tests/regressiontests/admin_widgets/tests.py | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py index 516869f1ef..472f69dcf0 100644 --- a/django/contrib/admin/widgets.py +++ b/django/contrib/admin/widgets.py @@ -96,7 +96,7 @@ class AdminFileWidget(forms.FileInput): output = [] if value and hasattr(value, "url"): output.append('%s %s
%s ' % \ - (_('Currently:'), value.url, value, _('Change:'))) + (_('Currently:'), escape(value.url), escape(value), _('Change:'))) output.append(super(AdminFileWidget, self).render(name, value, attrs)) return mark_safe(u''.join(output)) diff --git a/tests/regressiontests/admin_widgets/tests.py b/tests/regressiontests/admin_widgets/tests.py index e43ab83e9d..cf3f965c14 100644 --- a/tests/regressiontests/admin_widgets/tests.py +++ b/tests/regressiontests/admin_widgets/tests.py @@ -239,6 +239,22 @@ class AdminFileWidgetTest(DjangoTestCase): '', ) + def test_render_escapes_html(self): + class StrangeFieldFile(object): + url = "something?chapter=1§=2©=3&lang=en" + + def __unicode__(self): + return u'''something
.jpg''' + + widget = AdminFileWidget() + field = StrangeFieldFile() + output = widget.render('myfile', field) + self.assertFalse(field.url in output) + self.assertTrue(u'href="something?chapter=1&sect=2&copy=3&lang=en"' in output) + self.assertFalse(unicode(field) in output) + self.assertTrue(u'something<div onclick="alert('oops')">.jpg' in output) + + class ForeignKeyRawIdWidgetTest(DjangoTestCase): def test_render(self):