mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 14:16:09 +00:00
Code Issues 32 Releases Wiki Activity

[3.1.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.

Browse Source
This commit is contained in:
Jon Dufresne
2020-05-26 09:51:02 +02:00
committed by Carlton Gibson
parent 0186b43073
commit 49d7cc19e3
5 changed files with 36 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tests/admin_widgets/models.py
View File

@@ -27,6 +27,14 @@ class Band(models.Model):
return self.name
class UnsafeLimitChoicesTo(models.Model):
band = models.ForeignKey(
Band,
models.CASCADE,
limit_choices_to={'name': '"&><escapeme'},
)
class Album(models.Model):
band = models.ForeignKey(Band, models.CASCADE)
featuring = models.ManyToManyField(Band, related_name='featured')