@@ -328,7 +328,8 @@ def test_security_check(self, password='password'):
328328 for bad_url in ('http://example.com' ,
329329 'https://example.com' ,
330330 'ftp://exampel.com' ,
331- '//example.com' ):
331+ '//example.com' ,
332+ 'javascript:alert("XSS")' ):
332333
333334 nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
334335 'url' : login_url ,
@@ -349,6 +350,7 @@ def test_security_check(self, password='password'):
349350 '/view?param=ftp://exampel.com' ,
350351 'view/?param=//example.com' ,
351352 'https:///' ,
353+ 'HTTPS:///' ,
352354 '//testserver/' ,
353355 '/url%20with%20spaces/' ): # see ticket #12534
354356 safe_url = '%(url)s?%(next)s=%(good_url)s' % {
@@ -522,7 +524,8 @@ def test_security_check(self, password='password'):
522524 for bad_url in ('http://example.com' ,
523525 'https://example.com' ,
524526 'ftp://exampel.com' ,
525- '//example.com' ):
527+ '//example.com' ,
528+ 'javascript:alert("XSS")' ):
526529 nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
527530 'url' : logout_url ,
528531 'next' : REDIRECT_FIELD_NAME ,
@@ -541,6 +544,7 @@ def test_security_check(self, password='password'):
541544 '/view?param=ftp://exampel.com' ,
542545 'view/?param=//example.com' ,
543546 'https:///' ,
547+ 'HTTPS:///' ,
544548 '//testserver/' ,
545549 '/url%20with%20spaces/' ): # see ticket #12534
546550 safe_url = '%(url)s?%(next)s=%(good_url)s' % {
0 commit comments