mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #15182 - Fixed a security issue with ClearableFileInput. Disclosure and new release forthcoming.

Browse Source 
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15470 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Carl Meyer
2011-02-09 02:41:32 +00:00
parent 6ca7c9c495
commit 9f6d50d02e
2 changed files with 26 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
tests/regressiontests/forms/tests/widgets.py
View File

@@ -1086,6 +1086,28 @@ class ClearableFileInputTests(TestCase):
self.assertEqual(widget.render('myfile', FakeFieldFile()),
u'Currently: <a href="something">something</a> <input type="checkbox" name="myfile-clear" id="myfile-clear_id" /> <label for="myfile-clear_id">Clear</label><br />Change: <input type="file" name="myfile" />')
def test_html_escaped(self):
"""
A ClearableFileInput should escape name, filename and URL when
rendering HTML. Refs #15182.
"""
class StrangeFieldFile(object):
url = "something?chapter=1&sect=2&copy=3&lang=en"
def __unicode__(self):
return u'''something<div onclick="alert('oops')">.jpg'''
widget = ClearableFileInput()
field = StrangeFieldFile()
output = widget.render('my<div>file', field)
self.assertFalse(field.url in output)
self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output)
self.assertFalse(unicode(field) in output)
self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output)
self.assertTrue(u'my&lt;div&gt;file' in output)
self.assertFalse(u'my<div>file' in output)
def test_clear_input_renders_only_if_not_required(self):
"""
A ClearableFileInput with is_required=False does not render a clear