+17
-1
lines changedFilter options
+17
-1
lines changed Original file line number Diff line number Diff line change
@@ -93,7 +93,7 @@ def render(self, name, value, attrs=None):
93 93
output = []
94 94
if value and hasattr(value, "url"):
95 95
output.append('%s <a target="_blank" href="%s">%s</a> <br />%s ' % \
96 -
(_('Currently:'), value.url, value, _('Change:')))
96 +
(_('Currently:'), escape(value.url), escape(value), _('Change:')))
97 97
output.append(super(AdminFileWidget, self).render(name, value, attrs))
98 98
return mark_safe(u''.join(output))
99 99
@@ -154,3 +154,19 @@ def test_nonexistent_target_id(self):
154 154
post_data)
155 155
self.assertContains(response,
156 156
'Select a valid choice. That choice is not one of the available choices.')
157 + 158 +
class AdminFileWidgetTest(DjangoTestCase):
159 +
def test_render_escapes_html(self):
160 +
class StrangeFieldFile(object):
161 +
url = "something?chapter=1§=2©=3&lang=en"
162 + 163 +
def __unicode__(self):
164 +
return u'''something<div onclick="alert('oops')">.jpg'''
165 + 166 +
widget = widgets.AdminFileWidget()
167 +
field = StrangeFieldFile()
168 +
output = widget.render('myfile', field)
169 +
self.assertFalse(field.url in output)
170 +
self.assertTrue(u'href="something?chapter=1&sect=2&copy=3&lang=en"' in output)
171 +
self.assertFalse(unicode(field) in output)
172 +
self.assertTrue(u'something<div onclick="alert('oops')">.jpg' in output)
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4