Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Apply autoescaping to AdminURLFieldWidget.

This is a security fix; disclosure to follow shortly.
  • Loading branch information...
commit cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560 1 parent ae35351
Jacob Kaplan-Moss authored August 13, 2013
4  django/contrib/admin/widgets.py
@@ -305,9 +305,9 @@ def render(self, name, value, attrs=None):
305 305
         html = super(AdminURLFieldWidget, self).render(name, value, attrs)
306 306
         if value:
307 307
             value = force_text(self._format_value(value))
308  
-            final_attrs = {'href': mark_safe(smart_urlquote(value))}
  308
+            final_attrs = {'href': smart_urlquote(value)}
309 309
             html = format_html(
310  
-                '<p class="url">{0} <a {1}>{2}</a><br />{3} {4}</p>',
  310
+                '<p class="url">{0} <a{1}>{2}</a><br />{3} {4}</p>',
311 311
                 _('Currently:'), flatatt(final_attrs), value,
312 312
                 _('Change:'), html
313 313
             )
20  tests/admin_widgets/tests.py
@@ -321,18 +321,24 @@ def test_render_idn(self):
321 321
         w = widgets.AdminURLFieldWidget()
322 322
         self.assertHTMLEqual(
323 323
             conditional_escape(w.render('test', 'http://example-äüö.com')),
324  
-            '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com" /></p>'
  324
+            '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com" /></p>'
325 325
         )
326 326
 
327 327
     def test_render_quoting(self):
  328
+        # WARNING: Don't use assertHTMLEqual in that testcase!
  329
+        # assertHTMLEqual will get rid of some escapes which are tested here!
328 330
         w = widgets.AdminURLFieldWidget()
329  
-        self.assertHTMLEqual(
330  
-            conditional_escape(w.render('test', 'http://example.com/<sometag>some text</sometag>')),
331  
-            '<p class="url">Currently:<a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/&lt;sometag&gt;some text&lt;/sometag&gt;</a><br />Change:<input class="vURLField" name="test" type="url" value="http://example.com/<sometag>some text</sometag>" /></p>'
  331
+        self.assertEqual(
  332
+            w.render('test', 'http://example.com/<sometag>some text</sometag>'),
  333
+            '<p class="url">Currently: <a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/&lt;sometag&gt;some text&lt;/sometag&gt;</a><br />Change: <input class="vURLField" name="test" type="url" value="http://example.com/&lt;sometag&gt;some text&lt;/sometag&gt;" /></p>'
332 334
         )
333  
-        self.assertHTMLEqual(
334  
-            conditional_escape(w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>')),
335  
-            '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/&lt;sometag&gt;some text&lt;/sometag&gt;</a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>'
  335
+        self.assertEqual(
  336
+            w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>'),
  337
+            '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/&lt;sometag&gt;some text&lt;/sometag&gt;</a><br />Change: <input class="vURLField" name="test" type="url" value="http://example-äüö.com/&lt;sometag&gt;some text&lt;/sometag&gt;" /></p>'
  338
+        )
  339
+        self.assertEqual(
  340
+            w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"'),
  341
+            '<p class="url">Currently: <a href="http://www.example.com/%C3%A4%22%3E%3Cscript%3Ealert(%22XSS!%22)%3C/script%3E%22">http://www.example.com/%C3%A4&quot;&gt;&lt;script&gt;alert(&quot;XSS!&quot;)&lt;/script&gt;&quot;</a><br />Change: <input class="vURLField" name="test" type="url" value="http://www.example.com/%C3%A4&quot;&gt;&lt;script&gt;alert(&quot;XSS!&quot;)&lt;/script&gt;&quot;" /></p>'
336 342
         )
337 343
 
338 344
 

0 notes on commit cbe6d55

Please sign in to comment.
Something went wrong with that request. Please try again.