[3.1.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.

2025-10-24 14:16:09 +00:00 · 2020-05-26 09:51:02 +02:00
parent 0186b43073
commit 49d7cc19e3
5 changed files with 36 additions and 3 deletions
--- a/tests/admin_widgets/tests.py
+++ b/tests/admin_widgets/tests.py
@@ -24,6 +24,7 @@ from django.utils import translation
 from .models import (
    Advisor, Album, Band, Bee, Car, Company, Event, Honeycomb, Individual,
    Inventory, Member, MyFileField, Profile, School, Student,
+    UnsafeLimitChoicesTo,
 )
 from .widgetadmin import site as widget_admin_site

@@ -617,6 +618,16 @@ class ForeignKeyRawIdWidgetTest(TestCase):
            'Hidden</a></strong>' % {'pk': hidden.pk}
        )

+    def test_render_unsafe_limit_choices_to(self):
+        rel = UnsafeLimitChoicesTo._meta.get_field('band').remote_field
+        w = widgets.ForeignKeyRawIdWidget(rel, widget_admin_site)
+        self.assertHTMLEqual(
+            w.render('test', None),
+            '<input type="text" name="test" class="vForeignKeyRawIdAdminField">\n'
+            '<a href="/admin_widgets/band/?name=%22%26%3E%3Cescapeme&amp;_to_field=id" '
+            'class="related-lookup" id="lookup_id_test" title="Lookup"></a>'
+        )
+

@override_settings(ROOT_URLCONF='admin_widgets.urls')
 class ManyToManyRawIdWidgetTest(TestCase):