Skip to content

F
flask-admin
Commit 75e51ebc authored by libinghan's avatar libinghan
Browse files
Options

refs #1503 fixed reflected xss & treat backslash in url

parent 6f570e33
Hide whitespace changes
Inline Side-by-side
Showing with 10 additions and 2 deletions
flask_admin/helpers.py
View file @ 75e51ebc
from re import sub
from re import sub, compile
from jinja2 import contextfunction
from flask import g, request, url_for, flash
from wtforms.validators import DataRequired, InputRequired
......@@ -9,6 +9,7 @@ from ._compat import string_types
VALID_SCHEMES = ['http', 'https']
_substitute_whitespace = compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
def set_current_view(view):
......@@ -131,8 +132,13 @@ def prettify_class_name(name):
def is_safe_url(target):
# prevent urls like "\\www.google.com"
# some browser will change \\ to // (eg: Chrome)
# refs https://stackoverflow.com/questions/10438008
target = target.replace('\\', '/')
# prevent urls starting with "javascript:"
target = target.strip()
target = _substitute_whitespace('', target)
target_info = urlparse(target)
target_scheme = target_info.scheme
if target_scheme and target_scheme not in VALID_SCHEMES:
......
flask_admin/tests/test_helpers.py
View file @ 75e51ebc
......@@ -15,3 +15,5 @@ def test_is_safe_url():
assert not helpers.is_safe_url('http://127.0.0.2/admin/car/')
assert not helpers.is_safe_url(' javascript:alert(document.domain)')
assert not helpers.is_safe_url('javascript:alert(document.domain)')
assert not helpers.is_safe_url('javascrip\nt:alert(document.domain)')
assert not helpers.is_safe_url('\\\\www.google.com')
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment