Loading django/contrib/admin/widgets.py +2 −2 Original line number Diff line number Diff line Loading @@ -305,7 +305,7 @@ class AdminURLFieldWidget(forms.URLInput): html = super(AdminURLFieldWidget, self).render(name, value, attrs) if value: value = force_text(self._format_value(value)) final_attrs = {'href': mark_safe(smart_urlquote(value))} final_attrs = {'href': smart_urlquote(value)} html = format_html( '<p class="url">{0} <a{1}>{2}</a><br />{3} {4}</p>', _('Currently:'), flatatt(final_attrs), value, Loading tests/admin_widgets/tests.py +13 −7 Original line number Diff line number Diff line Loading @@ -325,14 +325,20 @@ class AdminURLWidgetTest(DjangoTestCase): ) def test_render_quoting(self): # WARNING: Don't use assertHTMLEqual in that testcase! # assertHTMLEqual will get rid of some escapes which are tested here! w = widgets.AdminURLFieldWidget() self.assertHTMLEqual( conditional_escape(w.render('test', 'http://example.com/<sometag>some text</sometag>')), '<p class="url">Currently:<a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="url" value="http://example.com/<sometag>some text</sometag>" /></p>' self.assertEqual( w.render('test', 'http://example.com/<sometag>some text</sometag>'), '<p class="url">Currently: <a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="url" value="http://example.com/<sometag>some text</sometag>" /></p>' ) self.assertHTMLEqual( conditional_escape(w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>')), '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>' self.assertEqual( w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>'), '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>' ) self.assertEqual( w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"'), '<p class="url">Currently: <a href="http://www.example.com/%C3%A4%22%3E%3Cscript%3Ealert(%22XSS!%22)%3C/script%3E%22">http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"</a><br />Change: <input class="vURLField" name="test" type="url" value="http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"" /></p>' ) Loading Loading
django/contrib/admin/widgets.py +2 −2 Original line number Diff line number Diff line Loading @@ -305,7 +305,7 @@ class AdminURLFieldWidget(forms.URLInput): html = super(AdminURLFieldWidget, self).render(name, value, attrs) if value: value = force_text(self._format_value(value)) final_attrs = {'href': mark_safe(smart_urlquote(value))} final_attrs = {'href': smart_urlquote(value)} html = format_html( '<p class="url">{0} <a{1}>{2}</a><br />{3} {4}</p>', _('Currently:'), flatatt(final_attrs), value, Loading
tests/admin_widgets/tests.py +13 −7 Original line number Diff line number Diff line Loading @@ -325,14 +325,20 @@ class AdminURLWidgetTest(DjangoTestCase): ) def test_render_quoting(self): # WARNING: Don't use assertHTMLEqual in that testcase! # assertHTMLEqual will get rid of some escapes which are tested here! w = widgets.AdminURLFieldWidget() self.assertHTMLEqual( conditional_escape(w.render('test', 'http://example.com/<sometag>some text</sometag>')), '<p class="url">Currently:<a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="url" value="http://example.com/<sometag>some text</sometag>" /></p>' self.assertEqual( w.render('test', 'http://example.com/<sometag>some text</sometag>'), '<p class="url">Currently: <a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="url" value="http://example.com/<sometag>some text</sometag>" /></p>' ) self.assertHTMLEqual( conditional_escape(w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>')), '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>' self.assertEqual( w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>'), '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>' ) self.assertEqual( w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"'), '<p class="url">Currently: <a href="http://www.example.com/%C3%A4%22%3E%3Cscript%3Ealert(%22XSS!%22)%3C/script%3E%22">http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"</a><br />Change: <input class="vURLField" name="test" type="url" value="http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"" /></p>' ) Loading
