mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-24 21:54:14 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Fixed #15182 - Fixed a security issue with ClearableFileInput. Disclosure and new release forthcoming.

Browse source 
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15470 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Carl Meyer 2011-02-09 02:41:32 +00:00
parent 6ca7c9c495
commit 9f6d50d02e
2 changed files with 26 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

7
django/forms/widgets.py
View file

@ -330,12 +330,13 @@ class ClearableFileInput(FileInput):
if value and hasattr(value, "url"):
template = self.template_with_initial
substitutions['initial'] = (u'<a href="%s">%s</a>'
% (value.url, value))
% (escape(value.url),
escape(force_unicode(value))))
if not self.is_required:
checkbox_name = self.clear_checkbox_name(name)
checkbox_id = self.clear_checkbox_id(checkbox_name)
substitutions['clear_checkbox_name'] = checkbox_name
substitutions['clear_checkbox_id'] = checkbox_id
substitutions['clear_checkbox_name'] = conditional_escape(checkbox_name)
substitutions['clear_checkbox_id'] = conditional_escape(checkbox_id)
substitutions['clear'] = CheckboxInput().render(checkbox_name, False, attrs={'id': checkbox_id})
substitutions['clear_template'] = self.template_with_clear % substitutions