Fixed #15182 - Fixed a security issue with ClearableFileInput. Disclosure and new release forthcoming.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15470 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-24 14:16:09 +00:00 · 2011-02-09 02:41:32 +00:00
parent 6ca7c9c495
commit 9f6d50d02e
2 changed files with 26 additions and 3 deletions
--- a/django/forms/widgets.py
+++ b/django/forms/widgets.py
@@ -330,12 +330,13 @@ class ClearableFileInput(FileInput):
        if value and hasattr(value, "url"):
            template = self.template_with_initial
            substitutions['initial'] = (u'<a href="%s">%s</a>'
-                                        % (value.url, value))
+                                        % (escape(value.url),
+                                           escape(force_unicode(value))))
            if not self.is_required:
                checkbox_name = self.clear_checkbox_name(name)
                checkbox_id = self.clear_checkbox_id(checkbox_name)
-                substitutions['clear_checkbox_name'] = checkbox_name
-                substitutions['clear_checkbox_id'] = checkbox_id
+                substitutions['clear_checkbox_name'] = conditional_escape(checkbox_name)
+                substitutions['clear_checkbox_id'] = conditional_escape(checkbox_id)
                substitutions['clear'] = CheckboxInput().render(checkbox_name, False, attrs={'id': checkbox_id})
                substitutions['clear_template'] = self.template_with_clear % substitutions