+15
-9
lines changedFilter options
+15
-9
lines changed Original file line number Diff line number Diff line change
@@ -310,9 +310,9 @@ def render(self, name, value, attrs=None):
310 310
html = super(AdminURLFieldWidget, self).render(name, value, attrs)
311 311
if value:
312 312
value = force_text(self._format_value(value))
313 -
final_attrs = {'href': mark_safe(smart_urlquote(value))}
313 +
final_attrs = {'href': smart_urlquote(value)}
314 314
html = format_html(
315 -
'<p class="url">{0} <a {1}>{2}</a><br />{3} {4}</p>',
315 +
'<p class="url">{0} <a{1}>{2}</a><br />{3} {4}</p>',
316 316
_('Currently:'), flatatt(final_attrs), value,
317 317
_('Change:'), html
318 318
)
@@ -299,18 +299,24 @@ def test_render_idn(self):
299 299
w = widgets.AdminURLFieldWidget()
300 300
self.assertHTMLEqual(
301 301
conditional_escape(w.render('test', 'http://example-äüö.com')),
302 -
'<p class="url">Currently:<a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="text" value="http://example-äüö.com" /></p>'
302 +
'<p class="url">Currently: <a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="text" value="http://example-äüö.com" /></p>'
303 303
)
304 304 305 305
def test_render_quoting(self):
306 +
# WARNING: Don't use assertHTMLEqual in that testcase!
307 +
# assertHTMLEqual will get rid of some escapes which are tested here!
306 308
w = widgets.AdminURLFieldWidget()
307 -
self.assertHTMLEqual(
308 -
conditional_escape(w.render('test', 'http://example.com/<sometag>some text</sometag>')),
309 -
'<p class="url">Currently:<a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="text" value="http://example.com/<sometag>some text</sometag>" /></p>'
309 +
self.assertEqual(
310 +
w.render('test', 'http://example.com/<sometag>some text</sometag>'),
311 +
'<p class="url">Currently: <a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="text" value="http://example.com/<sometag>some text</sometag>" /></p>'
310 312
)
311 -
self.assertHTMLEqual(
312 -
conditional_escape(w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>')),
313 -
'<p class="url">Currently:<a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="text" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>'
313 +
self.assertEqual(
314 +
w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>'),
315 +
'<p class="url">Currently: <a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="text" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>'
316 +
)
317 +
self.assertEqual(
318 +
w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"'),
319 +
'<p class="url">Currently: <a href="http://www.example.com/%C3%A4%22%3E%3Cscript%3Ealert(%22XSS!%22)%3C/script%3E%22">http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"</a><br />Change: <input class="vURLField" name="test" type="text" value="http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"" /></p>'
314 320
)
315 321 316 322 You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4