From 1966786d2dde73e17f39cf340eb33fcb5d73904e Mon Sep 17 00:00:00 2001
From: Carl Meyer <carl@oddbird.net>
Date: Wed, 9 Feb 2011 02:48:48 +0000
Subject: [PATCH] [1.1.X] Fixed security issue in AdminFileWidget. Release and
 disclosure forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15472 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/contrib/admin/widgets.py              |  2 +-
 tests/regressiontests/admin_widgets/tests.py | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
index 17067346f6c17..228b592fdaa03 100644
--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
@@ -93,7 +93,7 @@ def render(self, name, value, attrs=None):
         output = []
         if value and hasattr(value, "url"):
             output.append('%s <a target="_blank" href="%s">%s</a> <br />%s ' % \
-                (_('Currently:'), value.url, value, _('Change:')))
+                (_('Currently:'), escape(value.url), escape(value), _('Change:')))
         output.append(super(AdminFileWidget, self).render(name, value, attrs))
         return mark_safe(u''.join(output))
 
diff --git a/tests/regressiontests/admin_widgets/tests.py b/tests/regressiontests/admin_widgets/tests.py
index 64e12e3eaaa5b..e69e5d2b71522 100644
--- a/tests/regressiontests/admin_widgets/tests.py
+++ b/tests/regressiontests/admin_widgets/tests.py
@@ -154,3 +154,19 @@ def test_nonexistent_target_id(self):
             post_data)
         self.assertContains(response,
             'Select a valid choice. That choice is not one of the available choices.')
+
+class AdminFileWidgetTest(DjangoTestCase):
+    def test_render_escapes_html(self):
+        class StrangeFieldFile(object):
+            url = "something?chapter=1&sect=2&copy=3&lang=en"
+
+            def __unicode__(self):
+                return u'''something<div onclick="alert('oops')">.jpg'''
+
+        widget = widgets.AdminFileWidget()
+        field = StrangeFieldFile()
+        output = widget.render('myfile', field)
+        self.assertFalse(field.url in output)
+        self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output)
+        self.assertFalse(unicode(field) in output)
+        self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output)