Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#15182 closed (fixed)

ClearableFileInput widget doesn't encode values when render HTML

Reported by: e.generalov Owned by: nobody
Component: Forms Version: master
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


Given I have a model with FileField, admin interface and browser with JavaScript enabled.
When I upload a file with name "something<div onclick="alert('oops')">.jpg"
then I see model change form with link like to "something.jpg".
And when I click to the "jpg" then I see "oops" alert.

There is a bug in the ClearableFileInput render method. It doesn't encodes FileField properties (name and url) when writes HTML.
It could be dangerous for sites where users can to upload files and administrators manages them with admin interface.

Attachments (2)

clearablefieldwidget-encode-to-html.patch (2.3 KB) - added by e.generalov 5 years ago.
15182_v2.diff (1.9 KB) - added by gabrielhurley 5 years ago.

Download all attachments as: .zip

Change History (5)

Changed 5 years ago by e.generalov

comment:1 Changed 5 years ago by anonymous

  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Changed 5 years ago by gabrielhurley

comment:2 Changed 5 years ago by carljm

  • Resolution set to fixed
  • Status changed from new to closed

In [15470]:

Fixed #15182 - Fixed a security issue with ClearableFileInput. Disclosure and new release forthcoming.

comment:3 Changed 5 years ago by carljm

e.generalov: Thanks for this report and fix. In future please report security issues privately to

Note: See TracTickets for help on using tickets.
Back to Top