Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d03bf6f

Browse files
timgrahamtimgraham
committed
[1.9.x] Fixed XSS in admin's add/change related popup.
This is a security fix.
1 parent ab2f5f7 commit d03bf6f

File tree

6 files changed

+41
-8
lines changed

6 files changed

+41
-8
lines changed

django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@
120120
var selects = django.jQuery(selectsSelector);
121121
selects.find('option').each(function() {
122122
if (this.value === objId) {
123-
this.innerHTML = newRepr;
123+
this.textContent = newRepr;
124124
this.value = newId;
125125
}
126126
});

django/views/debug.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -631,13 +631,13 @@ def default_urlconf(request):
631631
var s = link.getElementsByTagName('span')[0];
632632
var uarr = String.fromCharCode(0x25b6);
633633
var darr = String.fromCharCode(0x25bc);
634-
s.innerHTML = s.innerHTML == uarr ? darr : uarr;
634+
s.textContent = s.textContent == uarr ? darr : uarr;
635635
return false;
636636
}
637637
function switchPastebinFriendly(link) {
638638
s1 = "Switch to copy-and-paste view";
639639
s2 = "Switch back to interactive view";
640-
link.innerHTML = link.innerHTML.trim() == s1 ? s2: s1;
640+
link.textContent = link.textContent.trim() == s1 ? s2: s1;
641641
toggle('browserTraceback', 'pastebinTraceback');
642642
return false;
643643
}

docs/releases/1.8.14.txt

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,20 @@
22
Django 1.8.14 release notes
33
===========================
44

5-
*Under development*
5+
*July 18, 2016*
66

7-
Django 1.8.14 fixes several bugs in 1.8.13.
7+
Django 1.8.14 fixes a security issue and a bug in 1.8.13.
8+
9+
XSS in admin's add/change related popup
10+
=======================================
11+
12+
Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
13+
admin's add/change related popup. ``Element.textContent`` is now used to
14+
prevent execution of the data.
15+
16+
The debug view also used ``innerHTML``. Although a security issue wasn't
17+
identified there, out of an abundance of caution it's also updated to use
18+
``textContent``.
819

920
Bugfixes
1021
========

docs/releases/1.9.8.txt

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,20 @@
22
Django 1.9.8 release notes
33
==========================
44

5-
*Under development*
5+
*July 18, 2016*
66

7-
Django 1.9.8 fixes several bugs in 1.9.7.
7+
Django 1.9.8 fixes a security issue and several bugs in 1.9.7.
8+
9+
XSS in admin's add/change related popup
10+
=======================================
11+
12+
Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
13+
admin's add/change related popup. ``Element.textContent`` is now used to
14+
prevent execution of the data.
15+
16+
The debug view also used ``innerHTML``. Although a security issue wasn't
17+
identified there, out of an abundance of caution it's also updated to use
18+
``textContent``.
819

920
Bugfixes
1021
========

tests/admin_views/models.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,13 +17,17 @@
1717
from django.utils.encoding import python_2_unicode_compatible
1818

1919

20+
@python_2_unicode_compatible
2021
class Section(models.Model):
2122
"""
2223
A simple section that links to articles, to test linking to related items
2324
in admin views.
2425
"""
2526
name = models.CharField(max_length=100)
2627

28+
def __str__(self):
29+
return self.name
30+
2731
@property
2832
def name_property(self):
2933
"""

tests/admin_views/tests.py

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4625,8 +4625,10 @@ def test_list_editable_popups(self):
46254625
"""
46264626
list_editable foreign keys have add/change popups.
46274627
"""
4628+
from selenium.webdriver.support.ui import Select
46284629
s1 = Section.objects.create(name='Test section')
46294630
Article.objects.create(
4631+
title='foo',
46304632
content='<p>Middle content</p>',
46314633
date=datetime.datetime(2008, 3, 18, 11, 54, 58),
46324634
section=s1,
@@ -4638,8 +4640,13 @@ def test_list_editable_popups(self):
46384640
self.wait_for_popup()
46394641
self.selenium.switch_to.window(self.selenium.window_handles[-1])
46404642
self.wait_for_text('#content h1', 'Change section')
4641-
self.selenium.close()
4643+
name_input = self.selenium.find_element_by_id('id_name')
4644+
name_input.clear()
4645+
name_input.send_keys('<i>edited section</i>')
4646+
self.selenium.find_element_by_xpath('//input[@value="Save"]').click()
46424647
self.selenium.switch_to.window(self.selenium.window_handles[0])
4648+
select = Select(self.selenium.find_element_by_id('id_form-0-section'))
4649+
self.assertEqual(select.first_selected_option.text, '<i>edited section</i>')
46434650

46444651
# Add popup
46454652
self.selenium.find_element_by_id('add_id_form-0-section').click()

0 commit comments

Comments
 (0)