mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-04 02:48:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixed is_safe_url() to handle leading whitespace.

Browse source 
This is a security fix. Disclosure following shortly.
This commit is contained in:
Tim Graham 2014-12-03 16:14:00 -05:00
parent 316b8d4974
commit 69b5e66738
5 changed files with 45 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
tests/utils_tests/test_http.py
View file

@ -109,7 +109,8 @@ class TestUtilsHttp(unittest.TestCase):
'http:/\//example.com',
'http:\/example.com',
'http:/\example.com',
'javascript:alert("XSS")'):
'javascript:alert("XSS")',
'\njavascript:alert(x)'):
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
for good_url in ('/view/?param=http://example.com',
'/view/?param=https://example.com',