Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.2.X] Fixed security issue in AdminFileWidget. Disclosure and relea…

…se forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15471 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 1f814a9547842dcfabdae09573055984af9d3fab 1 parent 1945664
Carl Meyer authored
2  django/contrib/admin/widgets.py
@@ -96,7 +96,7 @@ def render(self, name, value, attrs=None):
96 96
         output = []
97 97
         if value and hasattr(value, "url"):
98 98
             output.append('%s <a target="_blank" href="%s">%s</a> <br />%s ' % \
99  
-                (_('Currently:'), value.url, value, _('Change:')))
  99
+                (_('Currently:'), escape(value.url), escape(value), _('Change:')))
100 100
         output.append(super(AdminFileWidget, self).render(name, value, attrs))
101 101
         return mark_safe(u''.join(output))
102 102
 
16  tests/regressiontests/admin_widgets/tests.py
@@ -239,6 +239,22 @@ def test_render(self):
239 239
             '<input type="file" name="test" />',
240 240
         )
241 241
 
  242
+    def test_render_escapes_html(self):
  243
+        class StrangeFieldFile(object):
  244
+            url = "something?chapter=1&sect=2&copy=3&lang=en"
  245
+
  246
+            def __unicode__(self):
  247
+                return u'''something<div onclick="alert('oops')">.jpg'''
  248
+
  249
+        widget = AdminFileWidget()
  250
+        field = StrangeFieldFile()
  251
+        output = widget.render('myfile', field)
  252
+        self.assertFalse(field.url in output)
  253
+        self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output)
  254
+        self.assertFalse(unicode(field) in output)
  255
+        self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output)
  256
+
  257
+
242 258
 
243 259
 class ForeignKeyRawIdWidgetTest(DjangoTestCase):
244 260
     def test_render(self):

0 notes on commit 1f814a9

Please sign in to comment.
Something went wrong with that request. Please try again.