Skip to content

Commit 90363e3

Browse files
committed
Apply autoescaping to AdminURLFieldWidget.
This is a security fix; disclosure to follow shortly.
1 parent 1a274cc commit 90363e3

File tree

2 files changed

+15
-9
lines changed

2 files changed

+15
-9
lines changed

Diff for: django/contrib/admin/widgets.py

+2-2
Original file line numberDiff line numberDiff line change
@@ -310,9 +310,9 @@ def render(self, name, value, attrs=None):
310310
html = super(AdminURLFieldWidget, self).render(name, value, attrs)
311311
if value:
312312
value = force_text(self._format_value(value))
313-
final_attrs = {'href': mark_safe(smart_urlquote(value))}
313+
final_attrs = {'href': smart_urlquote(value)}
314314
html = format_html(
315-
'<p class="url">{0} <a {1}>{2}</a><br />{3} {4}</p>',
315+
'<p class="url">{0} <a{1}>{2}</a><br />{3} {4}</p>',
316316
_('Currently:'), flatatt(final_attrs), value,
317317
_('Change:'), html
318318
)

Diff for: tests/regressiontests/admin_widgets/tests.py

+13-7
Original file line numberDiff line numberDiff line change
@@ -299,18 +299,24 @@ def test_render_idn(self):
299299
w = widgets.AdminURLFieldWidget()
300300
self.assertHTMLEqual(
301301
conditional_escape(w.render('test', 'http://example-äüö.com')),
302-
'<p class="url">Currently:<a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="text" value="http://example-äüö.com" /></p>'
302+
'<p class="url">Currently: <a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="text" value="http://example-äüö.com" /></p>'
303303
)
304304

305305
def test_render_quoting(self):
306+
# WARNING: Don't use assertHTMLEqual in that testcase!
307+
# assertHTMLEqual will get rid of some escapes which are tested here!
306308
w = widgets.AdminURLFieldWidget()
307-
self.assertHTMLEqual(
308-
conditional_escape(w.render('test', 'http://example.com/<sometag>some text</sometag>')),
309-
'<p class="url">Currently:<a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/&lt;sometag&gt;some text&lt;/sometag&gt;</a><br />Change:<input class="vURLField" name="test" type="text" value="http://example.com/<sometag>some text</sometag>" /></p>'
309+
self.assertEqual(
310+
w.render('test', 'http://example.com/<sometag>some text</sometag>'),
311+
'<p class="url">Currently: <a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/&lt;sometag&gt;some text&lt;/sometag&gt;</a><br />Change: <input class="vURLField" name="test" type="text" value="http://example.com/&lt;sometag&gt;some text&lt;/sometag&gt;" /></p>'
310312
)
311-
self.assertHTMLEqual(
312-
conditional_escape(w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>')),
313-
'<p class="url">Currently:<a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/&lt;sometag&gt;some text&lt;/sometag&gt;</a><br />Change:<input class="vURLField" name="test" type="text" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>'
313+
self.assertEqual(
314+
w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>'),
315+
'<p class="url">Currently: <a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/&lt;sometag&gt;some text&lt;/sometag&gt;</a><br />Change: <input class="vURLField" name="test" type="text" value="http://example-äüö.com/&lt;sometag&gt;some text&lt;/sometag&gt;" /></p>'
316+
)
317+
self.assertEqual(
318+
w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"'),
319+
'<p class="url">Currently: <a href="http://www.example.com/%C3%A4%22%3E%3Cscript%3Ealert(%22XSS!%22)%3C/script%3E%22">http://www.example.com/%C3%A4&quot;&gt;&lt;script&gt;alert(&quot;XSS!&quot;)&lt;/script&gt;&quot;</a><br />Change: <input class="vURLField" name="test" type="text" value="http://www.example.com/%C3%A4&quot;&gt;&lt;script&gt;alert(&quot;XSS!&quot;)&lt;/script&gt;&quot;" /></p>'
314320
)
315321

316322

0 commit comments

Comments
 (0)