Fixed #31361 -- Fixed invalid action="" in admin forms.

The attribute action="" (empty string) on the <form> element is invalid HTML5. The spec (https://html.spec.whatwg.org/#attr-fs-action) says: > The action and formaction content attributes, if specified, must have > a value that is a valid non-empty URL potentially surrounded by > spaces. Emphasis on non-empty. The action attribute is allowed to be omitted, in which case the current URL is used which is the same behavior as now.
2020-03-13 06:26:06 -07:00 · 2020-03-13 06:26:06 -07:00 · 3857a08bdb
parent b7093860df
commit 3857a08bdb
4 changed files with 24 additions and 15 deletions
--- a/django/contrib/admin/templates/admin/auth/user/change_password.html
+++ b/django/contrib/admin/templates/admin/auth/user/change_password.html
@ -19,7 +19,7 @@
 {% endblock %}
 {% endif %}
 {% block content %}<div id="content-main">
-<form action="{{ form_url }}" method="post" id="{{ opts.model_name }}_form">{% csrf_token %}{% block form_top %}{% endblock %}
+<form{% if form_url %} action="{{ form_url }}"{% endif %} method="post" id="{{ opts.model_name }}_form">{% csrf_token %}{% block form_top %}{% endblock %}
 <input type="text" name="username" value="{{ original.get_username }}" style="display: none">
 <div>
 {% if is_popup %}<input type="hidden" name="_popup" value="1">{% endif %}
--- a/django/contrib/admin/templates/admin/change_form.html
+++ b/django/contrib/admin/templates/admin/change_form.html
@ -33,7 +33,7 @@
  </ul>
 {% endif %}{% endif %}
 {% endblock %}
-<form {% if has_file_field %}enctype="multipart/form-data" {% endif %}action="{{ form_url }}" method="post" id="{{ opts.model_name }}_form" novalidate>{% csrf_token %}{% block form_top %}{% endblock %}
+<form {% if has_file_field %}enctype="multipart/form-data" {% endif %}{% if form_url %}action="{{ form_url }}" {% endif %}method="post" id="{{ opts.model_name }}_form" novalidate>{% csrf_token %}{% block form_top %}{% endblock %}
 <div>
 {% if is_popup %}<input type="hidden" name="{{ is_popup_var }}" value="1">{% endif %}
 {% if to_field %}<input type="hidden" name="{{ to_field_var }}" value="{{ to_field }}">{% endif %}
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@ -5868,21 +5868,19 @@ class AdminKeepChangeListFiltersTests(TestCase):
            self.get_changelist_filters_querystring(),
        )

-    def get_add_url(self):
-        return '%s?%s' % (
-            reverse('admin:auth_user_add',
-                    current_app=self.admin_site.name),
-            self.get_preserved_filters_querystring(),
-        )
+    def get_add_url(self, add_preserved_filters=True):
+        url = reverse('admin:auth_user_add', current_app=self.admin_site.name)
+        if add_preserved_filters:
+            url = '%s?%s' % (url, self.get_preserved_filters_querystring())
+        return url

-    def get_change_url(self, user_id=None):
+    def get_change_url(self, user_id=None, add_preserved_filters=True):
        if user_id is None:
            user_id = self.get_sample_user_id()
-        return "%s?%s" % (
-            reverse('admin:auth_user_change', args=(user_id,),
-                    current_app=self.admin_site.name),
-            self.get_preserved_filters_querystring(),
-        )
+        url = reverse('admin:auth_user_change', args=(user_id,), current_app=self.admin_site.name)
+        if add_preserved_filters:
+            url = '%s?%s' % (url, self.get_preserved_filters_querystring())
+        return url

    def get_history_url(self, user_id=None):
        if user_id is None:
@ -5965,6 +5963,11 @@ class AdminKeepChangeListFiltersTests(TestCase):
        self.assertRedirects(response, self.get_add_url())
        post_data.pop('_addanother')

+    def test_change_view_without_preserved_filters(self):
+        response = self.client.get(self.get_change_url(add_preserved_filters=False))
+        # The action attribute is omitted.
+        self.assertContains(response, '<form method="post" id="user_form" novalidate>')
+
    def test_add_view(self):
        # Get the `add_view`.
        response = self.client.get(self.get_add_url())
@ -6003,6 +6006,11 @@ class AdminKeepChangeListFiltersTests(TestCase):
        self.assertRedirects(response, self.get_add_url())
        post_data.pop('_addanother')

+    def test_add_view_without_preserved_filters(self):
+        response = self.client.get(self.get_add_url(add_preserved_filters=False))
+        # The action attribute is omitted.
+        self.assertContains(response, '<form method="post" id="user_form" novalidate>')
+
    def test_delete_view(self):
        # Test redirect on "Delete".
        response = self.client.post(self.get_delete_url(), {'post': 'yes'})
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@ -1284,7 +1284,8 @@ class UUIDUserTests(TestCase):

        password_change_url = reverse('custom_user_admin:auth_user_password_change', args=(u.pk,))
        response = self.client.get(password_change_url)
-        self.assertEqual(response.status_code, 200)
+        # The action attribute is omitted.
+        self.assertContains(response, '<form method="post" id="uuiduser_form">')

        # A LogEntry is created with pk=1 which breaks a FK constraint on MySQL
        with connection.constraint_checks_disabled():