mirror of
https://github.com/django/django.git
synced 2025-01-10 10:26:34 +00:00
[1.10.x] Fixed XSS in admin's add/change related popup.
This is a security fix.
This commit is contained in:
parent
a03ac61332
commit
6fa150b2f8
@ -104,7 +104,7 @@
|
||||
var selects = $(selectsSelector);
|
||||
selects.find('option').each(function() {
|
||||
if (this.value === objId) {
|
||||
this.innerHTML = newRepr;
|
||||
this.textContent = newRepr;
|
||||
this.value = newId;
|
||||
}
|
||||
});
|
||||
|
@ -636,13 +636,13 @@ TECHNICAL_500_TEMPLATE = ("""
|
||||
var s = link.getElementsByTagName('span')[0];
|
||||
var uarr = String.fromCharCode(0x25b6);
|
||||
var darr = String.fromCharCode(0x25bc);
|
||||
s.innerHTML = s.innerHTML == uarr ? darr : uarr;
|
||||
s.textContent = s.textContent == uarr ? darr : uarr;
|
||||
return false;
|
||||
}
|
||||
function switchPastebinFriendly(link) {
|
||||
s1 = "Switch to copy-and-paste view";
|
||||
s2 = "Switch back to interactive view";
|
||||
link.innerHTML = link.innerHTML.trim() == s1 ? s2: s1;
|
||||
link.textContent = link.textContent.trim() == s1 ? s2: s1;
|
||||
toggle('browserTraceback', 'pastebinTraceback');
|
||||
return false;
|
||||
}
|
||||
|
@ -2,9 +2,20 @@
|
||||
Django 1.8.14 release notes
|
||||
===========================
|
||||
|
||||
*Under development*
|
||||
*July 18, 2016*
|
||||
|
||||
Django 1.8.14 fixes several bugs in 1.8.13.
|
||||
Django 1.8.14 fixes a security issue and a bug in 1.8.13.
|
||||
|
||||
XSS in admin's add/change related popup
|
||||
=======================================
|
||||
|
||||
Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
|
||||
admin's add/change related popup. ``Element.textContent`` is now used to
|
||||
prevent execution of the data.
|
||||
|
||||
The debug view also used ``innerHTML``. Although a security issue wasn't
|
||||
identified there, out of an abundance of caution it's also updated to use
|
||||
``textContent``.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
@ -2,9 +2,20 @@
|
||||
Django 1.9.8 release notes
|
||||
==========================
|
||||
|
||||
*Under development*
|
||||
*July 18, 2016*
|
||||
|
||||
Django 1.9.8 fixes several bugs in 1.9.7.
|
||||
Django 1.9.8 fixes a security issue and several bugs in 1.9.7.
|
||||
|
||||
XSS in admin's add/change related popup
|
||||
=======================================
|
||||
|
||||
Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
|
||||
admin's add/change related popup. ``Element.textContent`` is now used to
|
||||
prevent execution of the data.
|
||||
|
||||
The debug view also used ``innerHTML``. Although a security issue wasn't
|
||||
identified there, out of an abundance of caution it's also updated to use
|
||||
``textContent``.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
@ -4450,11 +4450,11 @@ class SeleniumTests(AdminSeleniumTestCase):
|
||||
self.wait_for_text('#content h1', 'Change section')
|
||||
name_input = self.selenium.find_element_by_id('id_name')
|
||||
name_input.clear()
|
||||
name_input.send_keys('edited section')
|
||||
name_input.send_keys('<i>edited section</i>')
|
||||
self.selenium.find_element_by_xpath('//input[@value="Save"]').click()
|
||||
self.selenium.switch_to.window(self.selenium.window_handles[0])
|
||||
select = Select(self.selenium.find_element_by_id('id_form-0-section'))
|
||||
self.assertEqual(select.first_selected_option.text, 'edited section')
|
||||
self.assertEqual(select.first_selected_option.text, '<i>edited section</i>')
|
||||
|
||||
# Add popup
|
||||
self.selenium.find_element_by_id('add_id_form-0-section').click()
|
||||
|
Loading…
Reference in New Issue
Block a user