From 719f2fe51e6ef00a242d3b756e4cc4d4c39d5006 Mon Sep 17 00:00:00 2001 From: Nic Pottier Date: Mon, 27 Apr 2020 17:34:16 -0700 Subject: [PATCH] fix XSS in url parameter keys --- requirements/base.txt | 2 +- smartmin/views.py | 2 +- test_runner/blog/tests.py | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/requirements/base.txt b/requirements/base.txt index 381b744..915f19c 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -1,5 +1,5 @@ celery -django>=2.1,<3.0 +django>=2.2.10,<3.0 django_compressor pytz redis diff --git a/smartmin/views.py b/smartmin/views.py index 5c8bc20..d2a23b0 100644 --- a/smartmin/views.py +++ b/smartmin/views.py @@ -325,7 +325,7 @@ def get_context_data(self, **kwargs): for key in self.request.GET.keys(): if key != 'page' and key != 'pjax' and (len(key) == 0 or key[0] != '_'): for value in self.request.GET.getlist(key): - url_params += "%s=%s&" % (key, urlquote(value)) + url_params += "%s=%s&" % (urlquote(key), urlquote(value)) elif key == '_order': order_params = "&".join(["%s=%s" % (key, _) for _ in self.request.GET.getlist(key)]) diff --git a/test_runner/blog/tests.py b/test_runner/blog/tests.py index c3f2f51..0c8e970 100644 --- a/test_runner/blog/tests.py +++ b/test_runner/blog/tests.py @@ -266,6 +266,10 @@ def test_list(self): self.assertEqual(response.context['url_params'], '?=x&foo=bar&') self.assertEqual(response.context['order_params'], '_order=-title&') + # check escaping of keys and values in params + response = self.client.get(reverse('blog.post_list') + "?\"=") + self.assertEqual(response.context['url_params'], '?%22%3Calert%3E=%3Calert%3E&') + def test_list_no_pagination(self): post1 = Post.objects.create(title="A First Post", body="Apples", order=3, tags="post", created_by=self.author, modified_by=self.author)