Ticket #15182: 15182_v2.diff

File 15182_v2.diff, 1.9 KB (added by Gabriel Hurley, 13 years ago)

  • django/forms/widgets.py

     
    332332            substitutions['initial'] = (u'<a href="%s">%s</a>'
    333333                                        % (value.url, value))
    334334            if not self.is_required:
    335                 checkbox_name = self.clear_checkbox_name(name)
     335                # Since the checkbox label bypasses the usual widget
     336                # attribute machinery, make sure it's escaped.
     337                checkbox_name = self.clear_checkbox_name(conditional_escape(name))
    336338                checkbox_id = self.clear_checkbox_id(checkbox_name)
    337339                substitutions['clear_checkbox_name'] = checkbox_name
    338340                substitutions['clear_checkbox_id'] = checkbox_id

  • tests/regressiontests/forms/tests/widgets.py

     
    10861086        self.assertEqual(widget.render('myfile', FakeFieldFile()),
    10871087                         u'Currently: <a href="something">something</a> <input type="checkbox" name="myfile-clear" id="myfile-clear_id" /> <label for="myfile-clear_id">Clear</label><br />Change: <input type="file" name="myfile" />')
    10881088
     1089    def test_clear_input_label_escaped(self):
     1090        widget = ClearableFileInput()
     1091        widget.is_required = False
     1092        xss_string = '''myfile"><script>alert('oops')</script><br name=".jpg'''
     1093        output = widget.render('">a_nasty_attack.jpg"', FakeFieldFile())
     1094        self.assertTrue(xss_string not in output)
     1095
    10891096    def test_clear_input_renders_only_if_not_required(self):
    10901097        """
    10911098        A ClearableFileInput with is_required=False does not render a clear
Back to Top