Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#24461 closed Bug (fixed)

Admin readonly_fields pointing to properties (@property) do not get escaped.

Reported by: Eran Rundstein Owned by: Baptiste Mispelon
Component: contrib.admin Version: 1.7
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hey,

My model has a @property, and I am using readonly_fields to display it. allow_tags is nowhere to be seen, and I believe the culprit is the following code (env/lib/python2.7/site-packages/django/contrib/admin/helpers.py):

                    result_repr = smart_text(value)
                    if getattr(attr, "allow_tags", False):
                        result_repr = mark_safe(result_repr)
                    else:
                        result_repr = linebreaksbr(result_repr)

This is used by AdminReadonlyField to render the field. Unfortunately, linebreaksbr replies on the template system autoescape mechanism, which isn't kicking in when calling the filter directly:

In [2]: linebreaksbr('<a>test</a>')
Out[2]: u'<a>test</a>'

In [3]: type(_)
Out[3]: django.utils.safestring.SafeText

Change History (4)

comment:1 Changed 5 years ago by Baptiste Mispelon

Owner: changed from nobody to Baptiste Mispelon
Status: newassigned
Triage Stage: UnreviewedAccepted

Hi,

I can indeed reproduce the issue, thanks for bringing it up.

comment:2 Changed 5 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 2654e1b93923bac55f12b4e66c5e39b16695ace5:

[1.7.x] Fixed #24461 -- Fixed XSS issue in ModelAdmin.readonly_fields

comment:3 Changed 5 years ago by Tim Graham <timograham@…>

In 35d68e8e766217924375e1a91533fee50159291c:

[1.8.x] Refs #24461 -- Added test/release notes for XSS issue in ModelAdmin.readonly_fields

This issue was fixed by refs #24464.

comment:4 Changed 5 years ago by Tim Graham <timograham@…>

In 82c9169077a066995e3b00aac551bf1c8a89d98a:

Refs #24461 -- Added test/release notes for XSS issue in ModelAdmin.readonly_fields

This issue was fixed by refs #24464.

Note: See TracTickets for help on using tickets.
Back to Top