id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
15182	ClearableFileInput widget doesn't encode values when render HTML	e.generalov	nobody	"Given I have a model with FileField, admin interface and browser with JavaScript enabled.
When I upload a file with name ""`something<div onclick=""alert('oops')"">.jpg`""
then I see model change form with link like to ""something.jpg"".
And when I click to the ""jpg"" then I see ""oops"" alert.

There is a bug in the ClearableFileInput render method. It doesn't encodes FileField properties (name and url) when writes HTML.
It could be dangerous for sites where users can to upload files and administrators manages them with admin interface."		closed	Forms	dev		fixed			Unreviewed	1	0	0	0	0	0