diff options
author | Jon Dufresne <jon.dufresne@gmail.com> | 2020-05-26 09:51:02 +0200 |
---|---|---|
committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2020-06-03 09:23:00 +0200 |
commit | 2dd4d110c159d0c81dff42eaead2c378a0998735 (patch) | |
tree | 882d7a84a709dbc73e63c684bdbcdf2449d7dec1 /tests/admin_widgets | |
parent | 81dc710571b773557170cce9764fff83b6dfd8ae (diff) | |
download | django-2dd4d110c159d0c81dff42eaead2c378a0998735.tar.gz |
Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.
Diffstat (limited to 'tests/admin_widgets')
-rw-r--r-- | tests/admin_widgets/models.py | 8 | ||||
-rw-r--r-- | tests/admin_widgets/tests.py | 11 |
2 files changed, 19 insertions, 0 deletions
diff --git a/tests/admin_widgets/models.py b/tests/admin_widgets/models.py index b5025fdfd7..88bf2b8fca 100644 --- a/tests/admin_widgets/models.py +++ b/tests/admin_widgets/models.py @@ -27,6 +27,14 @@ class Band(models.Model): return self.name +class UnsafeLimitChoicesTo(models.Model): + band = models.ForeignKey( + Band, + models.CASCADE, + limit_choices_to={'name': '"&><escapeme'}, + ) + + class Album(models.Model): band = models.ForeignKey(Band, models.CASCADE) featuring = models.ManyToManyField(Band, related_name='featured') diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py index b60d01e43f..334a534907 100644 --- a/tests/admin_widgets/tests.py +++ b/tests/admin_widgets/tests.py @@ -24,6 +24,7 @@ from django.utils import translation from .models import ( Advisor, Album, Band, Bee, Car, Company, Event, Honeycomb, Individual, Inventory, Member, MyFileField, Profile, School, Student, + UnsafeLimitChoicesTo, ) from .widgetadmin import site as widget_admin_site @@ -617,6 +618,16 @@ class ForeignKeyRawIdWidgetTest(TestCase): 'Hidden</a></strong>' % {'pk': hidden.pk} ) + def test_render_unsafe_limit_choices_to(self): + rel = UnsafeLimitChoicesTo._meta.get_field('band').remote_field + w = widgets.ForeignKeyRawIdWidget(rel, widget_admin_site) + self.assertHTMLEqual( + w.render('test', None), + '<input type="text" name="test" class="vForeignKeyRawIdAdminField">\n' + '<a href="/admin_widgets/band/?name=%22%26%3E%3Cescapeme&_to_field=id" ' + 'class="related-lookup" id="lookup_id_test" title="Lookup"></a>' + ) + @override_settings(ROOT_URLCONF='admin_widgets.urls') class ManyToManyRawIdWidgetTest(TestCase): |