Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #15182 - Fixed a security issue with ClearableFileInput. Disclo…

…sure and new release forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15470 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 9f6d50d02ea7ce1c5c2adf1c7819700a7912e0d7 1 parent 6ca7c9c
Carl Meyer authored February 09, 2011
7  django/forms/widgets.py
@@ -330,12 +330,13 @@ def render(self, name, value, attrs=None):
330 330
         if value and hasattr(value, "url"):
331 331
             template = self.template_with_initial
332 332
             substitutions['initial'] = (u'<a href="%s">%s</a>'
333  
-                                        % (value.url, value))
  333
+                                        % (escape(value.url),
  334
+                                           escape(force_unicode(value))))
334 335
             if not self.is_required:
335 336
                 checkbox_name = self.clear_checkbox_name(name)
336 337
                 checkbox_id = self.clear_checkbox_id(checkbox_name)
337  
-                substitutions['clear_checkbox_name'] = checkbox_name
338  
-                substitutions['clear_checkbox_id'] = checkbox_id
  338
+                substitutions['clear_checkbox_name'] = conditional_escape(checkbox_name)
  339
+                substitutions['clear_checkbox_id'] = conditional_escape(checkbox_id)
339 340
                 substitutions['clear'] = CheckboxInput().render(checkbox_name, False, attrs={'id': checkbox_id})
340 341
                 substitutions['clear_template'] = self.template_with_clear % substitutions
341 342
 
22  tests/regressiontests/forms/tests/widgets.py
@@ -1086,6 +1086,28 @@ def test_clear_input_renders(self):
1086 1086
         self.assertEqual(widget.render('myfile', FakeFieldFile()),
1087 1087
                          u'Currently: <a href="something">something</a> <input type="checkbox" name="myfile-clear" id="myfile-clear_id" /> <label for="myfile-clear_id">Clear</label><br />Change: <input type="file" name="myfile" />')
1088 1088
 
  1089
+    def test_html_escaped(self):
  1090
+        """
  1091
+        A ClearableFileInput should escape name, filename and URL when
  1092
+        rendering HTML. Refs #15182.
  1093
+        """
  1094
+
  1095
+        class StrangeFieldFile(object):
  1096
+            url = "something?chapter=1&sect=2&copy=3&lang=en"
  1097
+
  1098
+            def __unicode__(self):
  1099
+                return u'''something<div onclick="alert('oops')">.jpg'''
  1100
+
  1101
+        widget = ClearableFileInput()
  1102
+        field = StrangeFieldFile()
  1103
+        output = widget.render('my<div>file', field)
  1104
+        self.assertFalse(field.url in output)
  1105
+        self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output)
  1106
+        self.assertFalse(unicode(field) in output)
  1107
+        self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output)
  1108
+        self.assertTrue(u'my&lt;div&gt;file' in output)
  1109
+        self.assertFalse(u'my<div>file' in output)
  1110
+
1089 1111
     def test_clear_input_renders_only_if_not_required(self):
1090 1112
         """
1091 1113
         A ClearableFileInput with is_required=False does not render a clear

0 notes on commit 9f6d50d

Please sign in to comment.
Something went wrong with that request. Please try again.