File tree 2 files changed +16
-2
lines changed
wagtail/contrib/modeladmin
2 files changed +16
-2
lines changed Original file line number Diff line number Diff line change 11from django import forms
2- from django .utils .safestring import mark_safe
32from django .utils .translation import gettext as _
43
54from wagtail .models import Page
@@ -12,7 +11,7 @@ def label_from_instance(self, obj):
1211 obj .get_ancestors (inclusive = True ).exclude (depth = 1 ).specific (defer = True )
1312 ):
1413 bits .append (ancestor .get_admin_display_title ())
15- return mark_safe ( '<span class="icon icon-arrow-right"></span>' .join (bits ) )
14+ return " | " .join (bits )
1615
1716
1817class ParentChooserForm (forms .Form ):
Original file line number Diff line number Diff line change @@ -286,6 +286,21 @@ def test_back_to_listing(self):
286286 """
287287 self .assertContains (response , expected , html = True )
288288
289+ def test_page_title_html_escaping (self ):
290+ homepage = Page .objects .get (url_path = "/home/" )
291+ business_index = BusinessIndex (
292+ title = "Title with <script>alert('XSS')</script>" ,
293+ )
294+ homepage .add_child (instance = business_index )
295+
296+ response = self .client .get ("/admin/tests/businesschild/choose_parent/" )
297+
298+ self .assertEqual (response .status_code , 200 )
299+ self .assertNotContains (response , "Title with <script>alert('XSS')</script>" )
300+ self .assertContains (
301+ response , "Title with <script>alert('XSS')</script>"
302+ )
303+
289304
290305class TestChooseParentViewForNonSuperuser (TestCase , WagtailTestUtils ):
291306 fixtures = ["test_specific.json" ]
You can’t perform that action at this time.
0 commit comments