ClearableFileInput widget doesn't encode values when render HTML
|Reported by:||e.generalov||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
When I upload a file with name "something<div onclick="alert('oops')">.jpg"
then I see model change form with link like to "something.jpg".
And when I click to the "jpg" then I see "oops" alert.
There is a bug in the ClearableFileInput render method. It doesn't encodes FileField properties (name and url) when writes HTML.
It could be dangerous for sites where users can to upload files and administrators manages them with admin interface.
Change History (5)
Changed 3 years ago by e.generalov
comment:1 Changed 3 years ago by anonymous
- Has patch set
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset