From fa5ff296ce8e067ca135ad9d3f62ba57df0d5194 Mon Sep 17 00:00:00 2001
From: Jacob Kaplan-Moss <jacob@jacobian.org>
Date: Fri, 20 Nov 2009 15:04:16 +0000
Subject: [PATCH] [1.1.X] Added an explicit test showing that field errors are
 correctly autoescaped.

Backport of r11756 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@11757 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 tests/regressiontests/forms/regressions.py | 30 ++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/tests/regressiontests/forms/regressions.py b/tests/regressiontests/forms/regressions.py
index 51aa41d2fb..9471932057 100644
--- a/tests/regressiontests/forms/regressions.py
+++ b/tests/regressiontests/forms/regressions.py
@@ -102,4 +102,34 @@ u'<ul class="errorlist"><li>(Hidden field data) This field is required.</li></ul
 >>> f.as_table()
 u'<tr><td colspan="2"><ul class="errorlist"><li>(Hidden field data) This field is required.</li></ul><input type="hidden" name="data" id="id_data" /></td></tr>'
 
+###################################################
+# Tests for XSS vulnerabilities in error messages # 
+###################################################
+
+# The forms layer doesn't escape input values directly because error messages
+# might be presented in non-HTML contexts. Instead, the message is just marked
+# for escaping by the template engine. So we'll need to construct a little
+# silly template to trigger the escaping.
+
+>>> from django.template import Template, Context
+>>> t = Template('{{ form.errors }}')
+
+>>> class SomeForm(Form):
+...     field = ChoiceField(choices=[('one', 'One')])
+>>> f = SomeForm({'field': '<script>'})
+>>> t.render(Context({'form': f}))
+u'<ul class="errorlist"><li>field<ul class="errorlist"><li>Select a valid choice. &lt;script&gt; is not one of the available choices.</li></ul></li></ul>'
+    
+>>> class SomeForm(Form):
+...     field = MultipleChoiceField(choices=[('one', 'One')])
+>>> f = SomeForm({'field': ['<script>']})
+>>> t.render(Context({'form': f}))
+u'<ul class="errorlist"><li>field<ul class="errorlist"><li>Select a valid choice. &lt;script&gt; is not one of the available choices.</li></ul></li></ul>'
+
+>>> from regressiontests.forms.models import ChoiceModel
+>>> class SomeForm(Form):
+...     field = ModelMultipleChoiceField(ChoiceModel.objects.all())
+>>> f = SomeForm({'field': ['<script>']})
+>>> t.render(Context({'form': f}))
+u'<ul class="errorlist"><li>field<ul class="errorlist"><li>&quot;&lt;script&gt;&quot; is not a valid value for a primary key.</li></ul></li></ul>'
 """