[1.9.x] Fixed XSS in admin's add/change related popup.
This is a security fix.
This commit is contained in:
parent
ab2f5f764a
commit
d03bf6fe4e
|
@ -120,7 +120,7 @@
|
||||||
var selects = django.jQuery(selectsSelector);
|
var selects = django.jQuery(selectsSelector);
|
||||||
selects.find('option').each(function() {
|
selects.find('option').each(function() {
|
||||||
if (this.value === objId) {
|
if (this.value === objId) {
|
||||||
this.innerHTML = newRepr;
|
this.textContent = newRepr;
|
||||||
this.value = newId;
|
this.value = newId;
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
|
@ -631,13 +631,13 @@ TECHNICAL_500_TEMPLATE = ("""
|
||||||
var s = link.getElementsByTagName('span')[0];
|
var s = link.getElementsByTagName('span')[0];
|
||||||
var uarr = String.fromCharCode(0x25b6);
|
var uarr = String.fromCharCode(0x25b6);
|
||||||
var darr = String.fromCharCode(0x25bc);
|
var darr = String.fromCharCode(0x25bc);
|
||||||
s.innerHTML = s.innerHTML == uarr ? darr : uarr;
|
s.textContent = s.textContent == uarr ? darr : uarr;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
function switchPastebinFriendly(link) {
|
function switchPastebinFriendly(link) {
|
||||||
s1 = "Switch to copy-and-paste view";
|
s1 = "Switch to copy-and-paste view";
|
||||||
s2 = "Switch back to interactive view";
|
s2 = "Switch back to interactive view";
|
||||||
link.innerHTML = link.innerHTML.trim() == s1 ? s2: s1;
|
link.textContent = link.textContent.trim() == s1 ? s2: s1;
|
||||||
toggle('browserTraceback', 'pastebinTraceback');
|
toggle('browserTraceback', 'pastebinTraceback');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,9 +2,20 @@
|
||||||
Django 1.8.14 release notes
|
Django 1.8.14 release notes
|
||||||
===========================
|
===========================
|
||||||
|
|
||||||
*Under development*
|
*July 18, 2016*
|
||||||
|
|
||||||
Django 1.8.14 fixes several bugs in 1.8.13.
|
Django 1.8.14 fixes a security issue and a bug in 1.8.13.
|
||||||
|
|
||||||
|
XSS in admin's add/change related popup
|
||||||
|
=======================================
|
||||||
|
|
||||||
|
Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
|
||||||
|
admin's add/change related popup. ``Element.textContent`` is now used to
|
||||||
|
prevent execution of the data.
|
||||||
|
|
||||||
|
The debug view also used ``innerHTML``. Although a security issue wasn't
|
||||||
|
identified there, out of an abundance of caution it's also updated to use
|
||||||
|
``textContent``.
|
||||||
|
|
||||||
Bugfixes
|
Bugfixes
|
||||||
========
|
========
|
||||||
|
|
|
@ -2,9 +2,20 @@
|
||||||
Django 1.9.8 release notes
|
Django 1.9.8 release notes
|
||||||
==========================
|
==========================
|
||||||
|
|
||||||
*Under development*
|
*July 18, 2016*
|
||||||
|
|
||||||
Django 1.9.8 fixes several bugs in 1.9.7.
|
Django 1.9.8 fixes a security issue and several bugs in 1.9.7.
|
||||||
|
|
||||||
|
XSS in admin's add/change related popup
|
||||||
|
=======================================
|
||||||
|
|
||||||
|
Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
|
||||||
|
admin's add/change related popup. ``Element.textContent`` is now used to
|
||||||
|
prevent execution of the data.
|
||||||
|
|
||||||
|
The debug view also used ``innerHTML``. Although a security issue wasn't
|
||||||
|
identified there, out of an abundance of caution it's also updated to use
|
||||||
|
``textContent``.
|
||||||
|
|
||||||
Bugfixes
|
Bugfixes
|
||||||
========
|
========
|
||||||
|
|
|
@ -17,6 +17,7 @@ from django.db import models
|
||||||
from django.utils.encoding import python_2_unicode_compatible
|
from django.utils.encoding import python_2_unicode_compatible
|
||||||
|
|
||||||
|
|
||||||
|
@python_2_unicode_compatible
|
||||||
class Section(models.Model):
|
class Section(models.Model):
|
||||||
"""
|
"""
|
||||||
A simple section that links to articles, to test linking to related items
|
A simple section that links to articles, to test linking to related items
|
||||||
|
@ -24,6 +25,9 @@ class Section(models.Model):
|
||||||
"""
|
"""
|
||||||
name = models.CharField(max_length=100)
|
name = models.CharField(max_length=100)
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
return self.name
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def name_property(self):
|
def name_property(self):
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -4625,8 +4625,10 @@ class SeleniumAdminViewsFirefoxTests(AdminSeleniumWebDriverTestCase):
|
||||||
"""
|
"""
|
||||||
list_editable foreign keys have add/change popups.
|
list_editable foreign keys have add/change popups.
|
||||||
"""
|
"""
|
||||||
|
from selenium.webdriver.support.ui import Select
|
||||||
s1 = Section.objects.create(name='Test section')
|
s1 = Section.objects.create(name='Test section')
|
||||||
Article.objects.create(
|
Article.objects.create(
|
||||||
|
title='foo',
|
||||||
content='<p>Middle content</p>',
|
content='<p>Middle content</p>',
|
||||||
date=datetime.datetime(2008, 3, 18, 11, 54, 58),
|
date=datetime.datetime(2008, 3, 18, 11, 54, 58),
|
||||||
section=s1,
|
section=s1,
|
||||||
|
@ -4638,8 +4640,13 @@ class SeleniumAdminViewsFirefoxTests(AdminSeleniumWebDriverTestCase):
|
||||||
self.wait_for_popup()
|
self.wait_for_popup()
|
||||||
self.selenium.switch_to.window(self.selenium.window_handles[-1])
|
self.selenium.switch_to.window(self.selenium.window_handles[-1])
|
||||||
self.wait_for_text('#content h1', 'Change section')
|
self.wait_for_text('#content h1', 'Change section')
|
||||||
self.selenium.close()
|
name_input = self.selenium.find_element_by_id('id_name')
|
||||||
|
name_input.clear()
|
||||||
|
name_input.send_keys('<i>edited section</i>')
|
||||||
|
self.selenium.find_element_by_xpath('//input[@value="Save"]').click()
|
||||||
self.selenium.switch_to.window(self.selenium.window_handles[0])
|
self.selenium.switch_to.window(self.selenium.window_handles[0])
|
||||||
|
select = Select(self.selenium.find_element_by_id('id_form-0-section'))
|
||||||
|
self.assertEqual(select.first_selected_option.text, '<i>edited section</i>')
|
||||||
|
|
||||||
# Add popup
|
# Add popup
|
||||||
self.selenium.find_element_by_id('add_id_form-0-section').click()
|
self.selenium.find_element_by_id('add_id_form-0-section').click()
|
||||||
|
|
Loading…
Reference in New Issue