Refs #24461 -- Added test/release notes for XSS issue in ModelAdmin.readonly_fields

This issue was fixed by refs #24464.
2025-10-31 01:25:32 +00:00 · 2015-03-08 11:50:32 +01:00
parent 300fdbbebb
commit 82c9169077
4 changed files with 33 additions and 3 deletions
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -4644,6 +4644,15 @@ class ReadonlyTest(TestCase):
        self.assertContains(response, '<label for="id_public">Overridden public label:</label>', html=True)
        self.assertNotContains(response, "Some help text for the date (with unicode ŠĐĆŽćžšđ)")

+    def test_correct_autoescaping(self):
+        """
+        Make sure that non-field readonly elements are properly autoescaped (#24461)
+        """
+        section = Section.objects.create(name='<a>evil</a>')
+        response = self.client.get(reverse('admin:admin_views_section_change', args=(section.pk,)))
+        self.assertNotContains(response, "<a>evil</a>", status_code=200)
+        self.assertContains(response, "&lt;a&gt;evil&lt;/a&gt;", status_code=200)
+

@override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.SHA1PasswordHasher'],
    ROOT_URLCONF="admin_views.urls")