Updated vendored _urlsplit() to strip newline and tabs.

Refs Python CVE-2022-0391. Django is not affected, but others who incorrectly use internal function url_has_allowed_host_and_scheme() with unsanitized input could be at risk.
author: Michael Manfre <mike@manfre.net> 2022-06-29 20:39:51 -0400
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-07-01 08:48:38 +0200
commit: 03eec9ff6cc78e7c1bcf88bb76ecd11f0d433c72 (patch)
tree: c9ad05e93f1ce711e13e72bda616367988f453a5 /tests/utils_tests
parent: 5c93a84f44054034f495267ff2400a5de69a4fc1 (diff)
download: django-03eec9ff6cc78e7c1bcf88bb76ecd11f0d433c72.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index b2754b4ddb..9978c7bb52 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -177,6 +177,7 @@ class URLHasAllowedHostAndSchemeTests(unittest.TestCase):
             r"http:/\example.com",
             'javascript:alert("XSS")',
             "\njavascript:alert(x)",
+            "java\nscript:alert(x)",
             "\x08//example.com",
             r"http://otherserver\@example.com",
             r"http:\\testserver\@example.com",
author	Michael Manfre <mike@manfre.net>	2022-06-29 20:39:51 -0400
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-07-01 08:48:38 +0200
commit	03eec9ff6cc78e7c1bcf88bb76ecd11f0d433c72 (patch)
tree	c9ad05e93f1ce711e13e72bda616367988f453a5 /tests/utils_tests
parent	5c93a84f44054034f495267ff2400a5de69a4fc1 (diff)
download	django-03eec9ff6cc78e7c1bcf88bb76ecd11f0d433c72.tar.gz