From 90363e388c61874add3f3557ee654a996ec75d78 Mon Sep 17 00:00:00 2001 From: Jacob Kaplan-Moss Date: Tue, 13 Aug 2013 11:04:21 -0500 Subject: [PATCH] Apply autoescaping to AdminURLFieldWidget. This is a security fix; disclosure to follow shortly. --- django/contrib/admin/widgets.py | 4 ++-- tests/regressiontests/admin_widgets/tests.py | 20 +++++++++++++------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py index 1e6277fb87f39..1635ea00857da 100644 --- a/django/contrib/admin/widgets.py +++ b/django/contrib/admin/widgets.py @@ -310,9 +310,9 @@ def render(self, name, value, attrs=None): html = super(AdminURLFieldWidget, self).render(name, value, attrs) if value: value = force_text(self._format_value(value)) - final_attrs = {'href': mark_safe(smart_urlquote(value))} + final_attrs = {'href': smart_urlquote(value)} html = format_html( - '

{0} {2}
{3} {4}

', + '

{0} {2}
{3} {4}

', _('Currently:'), flatatt(final_attrs), value, _('Change:'), html ) diff --git a/tests/regressiontests/admin_widgets/tests.py b/tests/regressiontests/admin_widgets/tests.py index fa599c618c3e1..b3fff1fecca00 100644 --- a/tests/regressiontests/admin_widgets/tests.py +++ b/tests/regressiontests/admin_widgets/tests.py @@ -299,18 +299,24 @@ def test_render_idn(self): w = widgets.AdminURLFieldWidget() self.assertHTMLEqual( conditional_escape(w.render('test', 'http://example-äüö.com')), - '

Currently:http://example-äüö.com
Change:

' + '

Currently: http://example-äüö.com
Change:

' ) def test_render_quoting(self): + # WARNING: Don't use assertHTMLEqual in that testcase! + # assertHTMLEqual will get rid of some escapes which are tested here! w = widgets.AdminURLFieldWidget() - self.assertHTMLEqual( - conditional_escape(w.render('test', 'http://example.com/some text')), - '

Currently:http://example.com/<sometag>some text</sometag>
Change:

' + self.assertEqual( + w.render('test', 'http://example.com/some text'), + '

Currently: http://example.com/<sometag>some text</sometag>
Change:

' ) - self.assertHTMLEqual( - conditional_escape(w.render('test', 'http://example-äüö.com/some text')), - '

Currently:http://example-äüö.com/<sometag>some text</sometag>
Change:

' + self.assertEqual( + w.render('test', 'http://example-äüö.com/some text'), + '

Currently: http://example-äüö.com/<sometag>some text</sometag>
Change:

' + ) + self.assertEqual( + w.render('test', 'http://www.example.com/%C3%A4">"'), + '

Currently: http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"
Change:

' )