A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://github.com/django/django/commit/1f814a9547842dcfabdae09573055984af9d3fab below:

[1.2.X] Fixed security issue in AdminFileWidget. Disclosure and relea… · django/django@1f814a9 · GitHub

File tree Expand file treeCollapse file tree 2 files changed

+17

-1

lines changed

Filter options

Expand file treeCollapse file tree 2 files changed

+17

-1

lines changed Original file line number Diff line number Diff line change

@@ -96,7 +96,7 @@ def render(self, name, value, attrs=None):

 96 96

output = []

 97 97

if value and hasattr(value, "url"):

 98 98

output.append('%s <a target="_blank" href="%s">%s</a> <br />%s ' % \

 99 -

(_('Currently:'), value.url, value, _('Change:')))

 99 +

(_('Currently:'), escape(value.url), escape(value), _('Change:')))

 100 100

output.append(super(AdminFileWidget, self).render(name, value, attrs))

 101 101

return mark_safe(u''.join(output))

 102 102 Original file line number Diff line number Diff line change

@@ -239,6 +239,22 @@ def test_render(self):

 239 239

'<input type="file" name="test" />',

 240 240

)

 241 241 242 +

def test_render_escapes_html(self):

 243 +

class StrangeFieldFile(object):

 244 +

url = "something?chapter=1&sect=2&copy=3&lang=en"

 245 + 246 +

def __unicode__(self):

 247 +

return u'''something<div onclick="alert('oops')">.jpg'''

 248 + 249 +

widget = AdminFileWidget()

 250 +

field = StrangeFieldFile()

 251 +

output = widget.render('myfile', field)

 252 +

self.assertFalse(field.url in output)

 253 +

self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output)

 254 +

self.assertFalse(unicode(field) in output)

 255 +

self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output)

 256 + 257 + 242 258 243 259

class ForeignKeyRawIdWidgetTest(DjangoTestCase):

 244 260

def test_render(self):

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4