@@ -446,7 +446,8 @@ def test_security_check(self, password='password'):
446446 for bad_url in ('http://example.com' ,
447447 'https://example.com' ,
448448 'ftp://exampel.com' ,
449- '//example.com' ):
449+ '//example.com' ,
450+ 'javascript:alert("XSS")' ):
450451
451452 nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
452453 'url' : login_url ,
@@ -467,6 +468,7 @@ def test_security_check(self, password='password'):
467468 '/view?param=ftp://exampel.com' ,
468469 'view/?param=//example.com' ,
469470 'https:///' ,
471+ 'HTTPS:///' ,
470472 '//testserver/' ,
471473 '/url%20with%20spaces/' ): # see ticket #12534
472474 safe_url = '%(url)s?%(next)s=%(good_url)s' % {
@@ -661,7 +663,8 @@ def test_security_check(self, password='password'):
661663 for bad_url in ('http://example.com' ,
662664 'https://example.com' ,
663665 'ftp://exampel.com' ,
664- '//example.com' ):
666+ '//example.com' ,
667+ 'javascript:alert("XSS")' ):
665668 nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
666669 'url' : logout_url ,
667670 'next' : REDIRECT_FIELD_NAME ,
@@ -680,6 +683,7 @@ def test_security_check(self, password='password'):
680683 '/view?param=ftp://exampel.com' ,
681684 'view/?param=//example.com' ,
682685 'https:///' ,
686+ 'HTTPS:///' ,
683687 '//testserver/' ,
684688 '/url%20with%20spaces/' ): # see ticket #12534
685689 safe_url = '%(url)s?%(next)s=%(good_url)s' % {
0 commit comments