$OpenBSD: patch-tests_regressiontests_admin_widgets_tests_py,v 1.1 2011/02/11 11:45:48 jasper Exp $

Security fix for SA43230.
http://www.djangoproject.com/weblog/2011/feb/08/security/

Patch from upstream svn -r15471.

--- tests/regressiontests/admin_widgets/tests.py.orig	Fri Dec  3 23:49:31 2010
+++ tests/regressiontests/admin_widgets/tests.py	Thu Feb 10 09:50:08 2011
@@ -237,7 +237,21 @@ class AdminFileWidgetTest(DjangoTestCase):
             '<input type="file" name="test" />',
         )
 
+    def test_render_escapes_html(self): 
+        class StrangeFieldFile(object): 
+            url = "something?chapter=1&sect=2&copy=3&lang=en" 
 
+            def __unicode__(self): 
+                return u'''something<div onclick="alert('oops')">.jpg''' 
+
+        widget = AdminFileWidget() 
+        field = StrangeFieldFile() 
+        output = widget.render('myfile', field) 
+        self.assertFalse(field.url in output) 
+        self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output) 
+        self.assertFalse(unicode(field) in output) 
+        self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output) 
+    
 class ForeignKeyRawIdWidgetTest(DjangoTestCase):
     def test_render(self):
         band = models.Band.objects.create(name='Linkin Park')
