mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[1.7.x] Fixed #24461 -- Fixed XSS issue in ModelAdmin.readonly_fields

Browse Source
This commit is contained in:
Baptiste Mispelon
2015-03-08 11:50:32 +01:00
committed by Tim Graham
parent 5a3b531121
commit 2654e1b939
5 changed files with 34 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
tests/admin_views/tests.py
View File

@@ -3862,6 +3862,15 @@ class ReadonlyTest(TestCase):
self.assertContains(response, '<label for="id_public">Overridden public label:</label>', html=True)
self.assertNotContains(response, "Some help text for the date (with unicode ŠĐĆŽćžšđ)")
def test_correct_autoescaping(self):
"""
Make sure that non-field readonly elements are properly autoescaped (#24461)
"""
section = Section.objects.create(name='<a>evil</a>')
response = self.client.get(reverse('admin:admin_views_section_change', args=(section.pk,)))
self.assertNotContains(response, "<a>evil</a>", status_code=200)
self.assertContains(response, "&lt;a&gt;evil&lt;/a&gt;", status_code=200)
@override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',))
class LimitChoicesToInAdminTest(TestCase):