Fixed #24466 -- Added JavaScript escaping in a couple places in the admin.

Thanks Aymeric Augustin and Florian Apolloner for work on the patch.
2025-10-24 06:06:09 +00:00 · 2015-03-06 12:45:53 -05:00
parent b86abbceb9
commit 845817b039
9 changed files with 77 additions and 26 deletions
--- a/tests/admin_widgets/tests.py
+++ b/tests/admin_widgets/tests.py
@@ -264,17 +264,23 @@ class AdminForeignKeyRawIdWidget(TestDataMixin, DjangoTestCase):

 class FilteredSelectMultipleWidgetTest(DjangoTestCase):
    def test_render(self):
-        w = widgets.FilteredSelectMultiple('test', False)
+        # Backslash in verbose_name to ensure it is JavaScript escaped.
+        w = widgets.FilteredSelectMultiple('test\\', False)
        self.assertHTMLEqual(
            w.render('test', 'test'),
-            '<select multiple="multiple" name="test" class="selectfilter">\n</select><script type="text/javascript">addEvent(window, "load", function(e) {SelectFilter.init("id_test", "test", 0); });</script>\n'
+            '<select multiple="multiple" name="test" class="selectfilter">\n</select>'
+            '<script type="text/javascript">addEvent(window, "load", function(e) '
+            '{SelectFilter.init("id_test", "test\\u005C", 0); });</script>\n'
        )

    def test_stacked_render(self):
-        w = widgets.FilteredSelectMultiple('test', True)
+        # Backslash in verbose_name to ensure it is JavaScript escaped.
+        w = widgets.FilteredSelectMultiple('test\\', True)
        self.assertHTMLEqual(
            w.render('test', 'test'),
-            '<select multiple="multiple" name="test" class="selectfilterstacked">\n</select><script type="text/javascript">addEvent(window, "load", function(e) {SelectFilter.init("id_test", "test", 1); });</script>\n'
+            '<select multiple="multiple" name="test" class="selectfilterstacked">\n</select>'
+            '<script type="text/javascript">addEvent(window, "load", function(e) '
+            '{SelectFilter.init("id_test", "test\\u005C", 1); });</script>\n'
        )