prevent xss from UserProfile.display_name on admin deletion (bug 835827)

2014-04-17 16:48:51 +02:00 · 2014-04-17 16:48:51 +02:00 · 41b68cec25
--- a/apps/amo/tests/test_messages.py
+++ b/apps/amo/tests/test_messages.py
@ -3,6 +3,7 @@ import django.contrib.messages as django_messages
 from django.contrib.messages.storage import default_storage
 from django.http import HttpRequest

+from jingo import env
 from nose.tools import eq_
 from tower import ugettext as _

@ -69,3 +70,19 @@ def test_unicode_dups():
    storage = django_messages.get_messages(request)
    eq_(len(storage), 2, 'Too few or too many messages recorded.')

+
+def test_html_rendered_properly():
+    """Html markup is properly displayed in final template."""
+    request = HttpRequest()
+    setattr(request, '_messages', default_storage(request))
+
+    # This will call _file_message, which in turn calls _make_message, which in
+    # turn renders the message_content.html template, which adds html markup.
+    # We want to make sure this markup reaches the final rendering unescaped.
+    info(request, 'Title', 'Body')
+
+    messages = django_messages.get_messages(request)
+
+    template = env.get_template('messages.html')
+    html = template.render({'messages': messages})
+    assert "<h2>" in html  # The html from _make_message is not escaped.
--- a/apps/users/tests/test_views.py
+++ b/apps/users/tests/test_views.py
@ -377,6 +377,14 @@ class TestEditAdmin(UserViewBase):
        eq_(res.count(), 1)
        eq_(res[0].details['password'][0], u'****')

+    def test_delete_user_display_name_xss(self):
+        # This is to test for bug 835827.
+        self.regular.display_name = '"><img src=a onerror=alert(1)><a a="'
+        self.regular.save()
+        delete_url = reverse('admin:users_userprofile_delete',
+                             args=(self.regular.pk,))
+        res = self.client.post(delete_url, {'post': 'yes'}, follow=True)
+        assert self.regular.display_name not in res.content

 FakeResponse = collections.namedtuple("FakeResponse", "status_code content")

--- a/templates/messages.html
+++ b/templates/messages.html
@ -1,8 +1,8 @@
 {% if messages %}
  {% for message in messages %}
    <div class="notification-box {{ message.tags }}">
-      {# The message is actually formatted inside of message_content.html #}
-      {{ message|safe }}
+      {# The message is actually formatted inside of message_content.html if coming from olympia code, but not if coming from django views (eg: admin) #}
+      {{ message.message }}
    </div>
  {% endfor %}
 {% endif %}