mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.

Browse Source
This commit is contained in:
Jon Dufresne
2020-05-26 09:51:02 +02:00
committed by Carlton Gibson
parent 81dc710571
commit 2dd4d110c1
5 changed files with 36 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tests/admin_widgets/models.py
View File

@@ -27,6 +27,14 @@ class Band(models.Model):
return self.name
class UnsafeLimitChoicesTo(models.Model):
band = models.ForeignKey(
Band,
models.CASCADE,
limit_choices_to={'name': '"&><escapeme'},
)
class Album(models.Model):
band = models.ForeignKey(Band, models.CASCADE)
featuring = models.ManyToManyField(Band, related_name='featured')