#15182: ClearableFileInput widget doesn't encode values when render HTML
-------------------------+--------------------------------------------------
Reporter: e.generalov | Owner: nobody
Status: new | Milestone:
Component: Forms | Version: SVN
Keywords: | Stage: Unreviewed
Has_patch: 0 |
-------------------------+--------------------------------------------------
Given I have a model with FileField, admin interface and browser with
JavaScript enabled.
When I upload a file with name "`something<div
onclick="alert('oops')">.jpg`"
then I see model change form with link like to "something.jpg".
And when I click to the "jpg" then I see "oops" alert.
There is a bug in the ClearableFileInput render method. It doesn't encodes
FileField properties (name and url) when writes HTML.
It could be dangerous for sites where users can to upload files and
administrators manages them with admin interface.
--
Ticket URL: <http://code.djangoproject.com/ticket/15182>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
