Apply autoescaping to AdminURLFieldWidget.
This is a security fix; disclosure to follow shortly.
This commit is contained in:
parent
79594b40c0
commit
bfbae15c66
|
@ -305,9 +305,9 @@ class AdminURLFieldWidget(forms.URLInput):
|
||||||
html = super(AdminURLFieldWidget, self).render(name, value, attrs)
|
html = super(AdminURLFieldWidget, self).render(name, value, attrs)
|
||||||
if value:
|
if value:
|
||||||
value = force_text(self._format_value(value))
|
value = force_text(self._format_value(value))
|
||||||
final_attrs = {'href': mark_safe(smart_urlquote(value))}
|
final_attrs = {'href': smart_urlquote(value)}
|
||||||
html = format_html(
|
html = format_html(
|
||||||
'<p class="url">{0} <a {1}>{2}</a><br />{3} {4}</p>',
|
'<p class="url">{0} <a{1}>{2}</a><br />{3} {4}</p>',
|
||||||
_('Currently:'), flatatt(final_attrs), value,
|
_('Currently:'), flatatt(final_attrs), value,
|
||||||
_('Change:'), html
|
_('Change:'), html
|
||||||
)
|
)
|
||||||
|
|
|
@ -321,18 +321,24 @@ class AdminURLWidgetTest(DjangoTestCase):
|
||||||
w = widgets.AdminURLFieldWidget()
|
w = widgets.AdminURLFieldWidget()
|
||||||
self.assertHTMLEqual(
|
self.assertHTMLEqual(
|
||||||
conditional_escape(w.render('test', 'http://example-äüö.com')),
|
conditional_escape(w.render('test', 'http://example-äüö.com')),
|
||||||
'<p class="url">Currently:<a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com" /></p>'
|
'<p class="url">Currently: <a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com" /></p>'
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_render_quoting(self):
|
def test_render_quoting(self):
|
||||||
|
# WARNING: Don't use assertHTMLEqual in that testcase!
|
||||||
|
# assertHTMLEqual will get rid of some escapes which are tested here!
|
||||||
w = widgets.AdminURLFieldWidget()
|
w = widgets.AdminURLFieldWidget()
|
||||||
self.assertHTMLEqual(
|
self.assertEqual(
|
||||||
conditional_escape(w.render('test', 'http://example.com/<sometag>some text</sometag>')),
|
w.render('test', 'http://example.com/<sometag>some text</sometag>'),
|
||||||
'<p class="url">Currently:<a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="url" value="http://example.com/<sometag>some text</sometag>" /></p>'
|
'<p class="url">Currently: <a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="url" value="http://example.com/<sometag>some text</sometag>" /></p>'
|
||||||
)
|
)
|
||||||
self.assertHTMLEqual(
|
self.assertEqual(
|
||||||
conditional_escape(w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>')),
|
w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>'),
|
||||||
'<p class="url">Currently:<a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>'
|
'<p class="url">Currently: <a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>'
|
||||||
|
)
|
||||||
|
self.assertEqual(
|
||||||
|
w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"'),
|
||||||
|
'<p class="url">Currently: <a href="http://www.example.com/%C3%A4%22%3E%3Cscript%3Ealert(%22XSS!%22)%3C/script%3E%22">http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"</a><br />Change: <input class="vURLField" name="test" type="url" value="http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"" /></p>'
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue