#15182 closed (fixed)
ClearableFileInput widget doesn't encode values when render HTML
| Reported by: | e.generalov | Owned by: | nobody |
|---|---|---|---|
| Component: | Forms | Version: | dev |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Given I have a model with FileField, admin interface and browser with JavaScript enabled.
When I upload a file with name "something<div onclick="alert('oops')">.jpg"
then I see model change form with link like to "something.jpg".
And when I click to the "jpg" then I see "oops" alert.
There is a bug in the ClearableFileInput render method. It doesn't encodes FileField properties (name and url) when writes HTML.
It could be dangerous for sites where users can to upload files and administrators manages them with admin interface.
Attachments (2)
Change History (5)
by , 15 years ago
| Attachment: | clearablefieldwidget-encode-to-html.patch added |
|---|
comment:1 by , 15 years ago
| Has patch: | set |
|---|
by , 15 years ago
| Attachment: | 15182_v2.diff added |
|---|
comment:2 by , 15 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:3 by , 15 years ago
e.generalov: Thanks for this report and fix. In future please report security issues privately to security@djangoproject.com.
Note:
See TracTickets
for help on using tickets.
In [15470]: