[1.2.X] Fixed security issue in AdminFileWidget. Disclosure and release forthcoming. (1f814a95) · Commits · Dom Sekotill / django

django/contrib/admin/widgets.py

+1 −1

Original line number	Diff line number	Diff line
		@@ -96,7 +96,7 @@ class AdminFileWidget(forms.FileInput):
		output = []
		if value and hasattr(value, "url"):
		output.append('%s <a target="_blank" href="%s">%s</a> <br />%s ' % \
		(_('Currently:'), value.url, value, _('Change:')))
		(_('Currently:'), escape(value.url), escape(value), _('Change:')))
		output.append(super(AdminFileWidget, self).render(name, value, attrs))
		return mark_safe(u''.join(output))

+16 −0

Original line number	Diff line number	Diff line
		@@ -239,6 +239,22 @@ class AdminFileWidgetTest(DjangoTestCase):
		'<input type="file" name="test" />',
		)

		def test_render_escapes_html(self):
		class StrangeFieldFile(object):
		url = "something?chapter=1&sect=2&copy=3&lang=en"

		def __unicode__(self):
		return u'''something<div onclick="alert('oops')">.jpg'''

		widget = AdminFileWidget()
		field = StrangeFieldFile()
		output = widget.render('myfile', field)
		self.assertFalse(field.url in output)
		self.assertTrue(u'href="something?chapter=1&sect=2&copy=3&lang=en"' in output)
		self.assertFalse(unicode(field) in output)
		self.assertTrue(u'something<div onclick="alert('oops')">.jpg' in output)



		class ForeignKeyRawIdWidgetTest(DjangoTestCase):
		def test_render(self):