From 03eec9ff6cc78e7c1bcf88bb76ecd11f0d433c72 Mon Sep 17 00:00:00 2001
From: Michael Manfre <mike@manfre.net>
Date: Wed, 29 Jun 2022 20:39:51 -0400
Subject: Updated vendored _urlsplit() to strip newline and tabs.

Refs Python CVE-2022-0391. Django is not affected, but others who
incorrectly use internal function url_has_allowed_host_and_scheme()
with unsanitized input could be at risk.
---
 tests/utils_tests/test_http.py | 1 +
 1 file changed, 1 insertion(+)

(limited to 'tests/utils_tests')

diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index b2754b4ddb..9978c7bb52 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -177,6 +177,7 @@ class URLHasAllowedHostAndSchemeTests(unittest.TestCase):
             r"http:/\example.com",
             'javascript:alert("XSS")',
             "\njavascript:alert(x)",
+            "java\nscript:alert(x)",
             "\x08//example.com",
             r"http://otherserver\@example.com",
             r"http:\\testserver\@example.com",
-- 
cgit v1.2.1