From cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560 Mon Sep 17 00:00:00 2001 From: Jacob Kaplan-Moss Date: Tue, 13 Aug 2013 11:06:41 -0500 Subject: [PATCH] Apply autoescaping to AdminURLFieldWidget. This is a security fix; disclosure to follow shortly. --- django/contrib/admin/widgets.py | 4 ++-- tests/admin_widgets/tests.py | 20 +++++++++++++------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py index c4b15cdd6a..5773db6394 100644 --- a/django/contrib/admin/widgets.py +++ b/django/contrib/admin/widgets.py @@ -305,9 +305,9 @@ class AdminURLFieldWidget(forms.URLInput): html = super(AdminURLFieldWidget, self).render(name, value, attrs) if value: value = force_text(self._format_value(value)) - final_attrs = {'href': mark_safe(smart_urlquote(value))} + final_attrs = {'href': smart_urlquote(value)} html = format_html( - '

{0} {2}
{3} {4}

', + '

{0} {2}
{3} {4}

', _('Currently:'), flatatt(final_attrs), value, _('Change:'), html ) diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py index 5a88df1e57..9f5abe0684 100644 --- a/tests/admin_widgets/tests.py +++ b/tests/admin_widgets/tests.py @@ -321,18 +321,24 @@ class AdminURLWidgetTest(DjangoTestCase): w = widgets.AdminURLFieldWidget() self.assertHTMLEqual( conditional_escape(w.render('test', 'http://example-äüö.com')), - '

Currently:http://example-äüö.com
Change:

' + '

Currently: http://example-äüö.com
Change:

' ) def test_render_quoting(self): + # WARNING: Don't use assertHTMLEqual in that testcase! + # assertHTMLEqual will get rid of some escapes which are tested here! w = widgets.AdminURLFieldWidget() - self.assertHTMLEqual( - conditional_escape(w.render('test', 'http://example.com/some text')), - '

Currently:http://example.com/<sometag>some text</sometag>
Change:

' + self.assertEqual( + w.render('test', 'http://example.com/some text'), + '

Currently: http://example.com/<sometag>some text</sometag>
Change:

' ) - self.assertHTMLEqual( - conditional_escape(w.render('test', 'http://example-äüö.com/some text')), - '

Currently:http://example-äüö.com/<sometag>some text</sometag>
Change:

' + self.assertEqual( + w.render('test', 'http://example-äüö.com/some text'), + '

Currently: http://example-äüö.com/<sometag>some text</sometag>
Change:

' + ) + self.assertEqual( + w.render('test', 'http://www.example.com/%C3%A4">"'), + '

Currently: http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"
Change:

' )