mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[1.7.x] Fixed is_safe_url() to handle leading whitespace.

Browse Source 
This is a security fix. Disclosure following shortly.
This commit is contained in:
Tim Graham
2014-12-03 16:14:00 -05:00
parent 41b4bc73ee
commit de67dedc77
5 changed files with 45 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
tests/utils_tests/test_http.py
View File

@@ -107,7 +107,8 @@ class TestUtilsHttp(unittest.TestCase):
'http:/\//example.com',
'http:\/example.com',
'http:/\example.com',
'javascript:alert("XSS")'):
'javascript:alert("XSS")',
'\njavascript:alert(x)'):
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
for good_url in ('/view/?param=http://example.com',
'/view/?param=https://example.com',