From 2dd4d110c159d0c81dff42eaead2c378a0998735 Mon Sep 17 00:00:00 2001 From: Jon Dufresne Date: Tue, 26 May 2020 09:51:02 +0200 Subject: Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget. --- tests/admin_widgets/models.py | 8 ++++++++ tests/admin_widgets/tests.py | 11 +++++++++++ 2 files changed, 19 insertions(+) (limited to 'tests/admin_widgets') diff --git a/tests/admin_widgets/models.py b/tests/admin_widgets/models.py index b5025fdfd7..88bf2b8fca 100644 --- a/tests/admin_widgets/models.py +++ b/tests/admin_widgets/models.py @@ -27,6 +27,14 @@ class Band(models.Model): return self.name +class UnsafeLimitChoicesTo(models.Model): + band = models.ForeignKey( + Band, + models.CASCADE, + limit_choices_to={'name': '"&>' % {'pk': hidden.pk} ) + def test_render_unsafe_limit_choices_to(self): + rel = UnsafeLimitChoicesTo._meta.get_field('band').remote_field + w = widgets.ForeignKeyRawIdWidget(rel, widget_admin_site) + self.assertHTMLEqual( + w.render('test', None), + '\n' + '' + ) + @override_settings(ROOT_URLCONF='admin_widgets.urls') class ManyToManyRawIdWidgetTest(TestCase): -- cgit v1.2.1