[Django] #21279: Field content not escaped in admin filter
Django
------------------------------+--------------------------------------------
Reporter: cam.w.lee@… | Owner: nobody
Type: Bug | Status: new
Component: | Version: 1.4
contrib.admin | Keywords: javascript escape admin filter
Severity: Normal | Has patch: 0
Triage Stage: Unreviewed | UI/UX: 0
Easy pickings: 1 |
------------------------------+--------------------------------------------
A user of our system recently entered the following as their name:
{{{
"><script>alert()</script>
}}}
This caused an issue in the admin interface. Although this user data was
sanitized properly in the list view and change form, when we added an
admin filter on this field, we started getting Javascript alerts when
browsing the admin. Turns out that there is no escaping in the options of
the filter even though they're pulled from the database and could be user
entered content.
This is what we see in the list options:
{{{
">
}}}
And this is what the HTML looks like:
{{{
<select class="grp-filter-choice">
<option value="?" selected='selected'>All</option>
<option value="?UnitName="></option>
<option
value="?UnitName=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E">"><script>alert()</script></option>
<option value="?UnitName=005">005</option>
</select>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/21279>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: cam.w.lee@… | Owner: nobody
Type: Bug | Status: new
Severity: Normal | Resolution:
Keywords: javascript escape | Triage Stage:
admin filter | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by timo):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Comment:
How is this filter generated? I tried `ModelAdmin.list_filter` but
couldn't reproduce.
--
Ticket URL: <https://code.djangoproject.com/ticket/21279#comment:1>
Django
Reporter: cam.w.lee@… | Owner: nobody
Type: Bug | Status: new
Severity: Normal | Resolution:
Keywords: javascript escape | Triage Stage:
admin filter | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by cam.w.lee@…):
The filter is defined in the model admin:
https://docs.djangoproject.com/en/dev/ref/contrib/admin/#django.contrib.admin.ModelAdmin.list_filter
You simply specify which database fields should be filterable. From our
code (simplified):
{{{
class VehicleAdmin( ModelAdmin ):
list_filter = ('UnitName')
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/21279#comment:2>
Django
Reporter: cam.w.lee@… | Owner: nobody
Type: Bug | Status: new
Severity: Normal | Resolution:
Keywords: javascript escape | Triage Stage:
admin filter | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by cam.w.lee@…):
If you're unable to re-produce, it might be fixed in a more recent version
of Django (I'm on 1.4). I wasn't able to test with a newer version of
Django, but did do some searching and couldn't find any mention of this
anywhere.
--
Ticket URL: <https://code.djangoproject.com/ticket/21279#comment:3>
Django
Reporter: cam.w.lee@… | Owner: nobody
Type: Bug | Status: new
Severity: Normal | Resolution:
Keywords: javascript escape | Triage Stage:
admin filter | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by anonymous):
I just realized something: maybe this is an issue with Grappelli. I just
turned off Grappelli and I'm not getting alerts anymore.
--
Ticket URL: <https://code.djangoproject.com/ticket/21279#comment:4>
Django
Reporter: cam.w.lee@… | Owner: nobody
Type: Bug | Status: closed
Component: contrib.admin | Version: 1.4
Severity: Normal | Resolution: invalid
Keywords: javascript escape | Triage Stage:
admin filter | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => invalid
Comment:
Ok, this is a cross-site scripting (XSS) security vulnerability so
definitely let whoever know once you track down the issue further. Try
upgrading your dependencies to the latest versions before reporting it if
possible.
--
Ticket URL: <https://code.djangoproject.com/ticket/21279#comment:5>
Django
Reporter: cam.w.lee@… | Owner: nobody
Type: Bug | Status: closed
Component: contrib.admin | Version: 1.4
Severity: Normal | Resolution: invalid
Keywords: javascript escape | Triage Stage:
admin filter | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by cam.w.lee@…):
Ya. I'm going to look into this with Grappelli and report a bug there if
needed.
Thanks for the help and sorry this turned out to be invalid (or not I
guess - better that there is no bug).
--
Ticket URL: <https://code.djangoproject.com/ticket/21279#comment:6>
Django
Reporter: cam.w.lee@… | Owner: nobody
Type: Bug | Status: closed
Component: contrib.admin | Version: 1.4
Severity: Normal | Resolution: invalid
Keywords: javascript escape | Triage Stage:
admin filter | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by timo):
By the way, you should report security issues like this privately. For
Django, see djangoproject.com/security
--
Ticket URL: <https://code.djangoproject.com/ticket/21279#comment:7>
Django
Reporter: cam.w.lee@… | Owner: nobody
Type: Bug | Status: closed
Component: contrib.admin | Version: 1.4
Severity: Normal | Resolution: invalid
Keywords: javascript escape | Triage Stage:
admin filter | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by cam.w.lee@…):
Replying to [comment:7 timo]:
> By the way, you should report security issues like this privately. For
Django, see djangoproject.com/security
Ok. I'll do that in the future. For this ticket though, is there any way
to delete it?
--
Ticket URL: <https://code.djangoproject.com/ticket/21279#comment:8>