p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixed #31361 -- Fixed invalid action="" in admin forms. 

The attribute action="" (empty string) on the <form> element is invalid
HTML5. The spec (https://html.spec.whatwg.org/#attr-fs-action) says:

> The action and formaction content attributes, if specified, must have
> a value that is a valid non-empty URL potentially surrounded by
> spaces.

Emphasis on non-empty. The action attribute is allowed to be omitted, in
which case the current URL is used which is the same behavior as now.
This commit is contained in:
Jon Dufresne 2020-03-13 06:26:06 -07:00 committed by Mariusz Felisiak
parent b7093860df
commit 3857a08bdb
4 changed files with 24 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
django/contrib/admin/templates/admin/auth/user/change_password.html
View File

@ -19,7 +19,7 @@
{% endblock %} {% endblock %}
{% endif %} {% endif %}
{% block content %}<div id="content-main"> {% block content %}<div id="content-main">
<form action="{{ form_url }}" method="post" id="{{ opts.model_name }}_form">{% csrf_token %}{% block form_top %}{% endblock %} <form{% if form_url %} action="{{ form_url }}"{% endif %} method="post" id="{{ opts.model_name }}_form">{% csrf_token %}{% block form_top %}{% endblock %}
<input type="text" name="username" value="{{ original.get_username }}" style="display: none"> <input type="text" name="username" value="{{ original.get_username }}" style="display: none">
<div> <div>
{% if is_popup %}<input type="hidden" name="_popup" value="1">{% endif %} {% if is_popup %}<input type="hidden" name="_popup" value="1">{% endif %}

2
django/contrib/admin/templates/admin/change_form.html
View File

@ -33,7 +33,7 @@
</ul> </ul>
{% endif %}{% endif %} {% endif %}{% endif %}
{% endblock %} {% endblock %}
<form {% if has_file_field %}enctype="multipart/form-data" {% endif %}action="{{ form_url }}" method="post" id="{{ opts.model_name }}_form" novalidate>{% csrf_token %}{% block form_top %}{% endblock %} <form {% if has_file_field %}enctype="multipart/form-data" {% endif %}{% if form_url %}action="{{ form_url }}" {% endif %}method="post" id="{{ opts.model_name }}_form" novalidate>{% csrf_token %}{% block form_top %}{% endblock %}
<div> <div>
{% if is_popup %}<input type="hidden" name="{{ is_popup_var }}" value="1">{% endif %} {% if is_popup %}<input type="hidden" name="{{ is_popup_var }}" value="1">{% endif %}
{% if to_field %}<input type="hidden" name="{{ to_field_var }}" value="{{ to_field }}">{% endif %} {% if to_field %}<input type="hidden" name="{{ to_field_var }}" value="{{ to_field }}">{% endif %}

32
tests/admin_views/tests.py
View File

@ -5868,21 +5868,19 @@ class AdminKeepChangeListFiltersTests(TestCase):
self.get_changelist_filters_querystring(), self.get_changelist_filters_querystring(),
) )
def get_add_url(self): def get_add_url(self, add_preserved_filters=True):
return '%s?%s' % ( url = reverse('admin:auth_user_add', current_app=self.admin_site.name)
reverse('admin:auth_user_add', if add_preserved_filters:
current_app=self.admin_site.name), url = '%s?%s' % (url, self.get_preserved_filters_querystring())
self.get_preserved_filters_querystring(), return url
)
def get_change_url(self, user_id=None): def get_change_url(self, user_id=None, add_preserved_filters=True):
if user_id is None: if user_id is None:
user_id = self.get_sample_user_id() user_id = self.get_sample_user_id()
return "%s?%s" % ( url = reverse('admin:auth_user_change', args=(user_id,), current_app=self.admin_site.name)
reverse('admin:auth_user_change', args=(user_id,), if add_preserved_filters:
current_app=self.admin_site.name), url = '%s?%s' % (url, self.get_preserved_filters_querystring())
self.get_preserved_filters_querystring(), return url
)
def get_history_url(self, user_id=None): def get_history_url(self, user_id=None):
if user_id is None: if user_id is None:
@ -5965,6 +5963,11 @@ class AdminKeepChangeListFiltersTests(TestCase):
self.assertRedirects(response, self.get_add_url()) self.assertRedirects(response, self.get_add_url())
post_data.pop('_addanother') post_data.pop('_addanother')
def test_change_view_without_preserved_filters(self):
response = self.client.get(self.get_change_url(add_preserved_filters=False))
# The action attribute is omitted.
self.assertContains(response, '<form method="post" id="user_form" novalidate>')
def test_add_view(self): def test_add_view(self):
# Get the `add_view`. # Get the `add_view`.
response = self.client.get(self.get_add_url()) response = self.client.get(self.get_add_url())
@ -6003,6 +6006,11 @@ class AdminKeepChangeListFiltersTests(TestCase):
self.assertRedirects(response, self.get_add_url()) self.assertRedirects(response, self.get_add_url())
post_data.pop('_addanother') post_data.pop('_addanother')
def test_add_view_without_preserved_filters(self):
response = self.client.get(self.get_add_url(add_preserved_filters=False))
# The action attribute is omitted.
self.assertContains(response, '<form method="post" id="user_form" novalidate>')
def test_delete_view(self): def test_delete_view(self):
# Test redirect on "Delete". # Test redirect on "Delete".
response = self.client.post(self.get_delete_url(), {'post': 'yes'}) response = self.client.post(self.get_delete_url(), {'post': 'yes'})

3
tests/auth_tests/test_views.py
View File

@ -1284,7 +1284,8 @@ class UUIDUserTests(TestCase):
password_change_url = reverse('custom_user_admin:auth_user_password_change', args=(u.pk,)) password_change_url = reverse('custom_user_admin:auth_user_password_change', args=(u.pk,))
response = self.client.get(password_change_url) response = self.client.get(password_change_url)
self.assertEqual(response.status_code, 200) # The action attribute is omitted.
self.assertContains(response, '<form method="post" id="uuiduser_form">')
# A LogEntry is created with pk=1 which breaks a FK constraint on MySQL # A LogEntry is created with pk=1 which breaks a FK constraint on MySQL
with connection.constraint_checks_disabled(): with connection.constraint_checks_disabled():