1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
From: Chris Lamb <lamby@debian.org>
Date: Sat, 13 Jun 2020 15:31:58 +0100
Subject: CVE-2020-13596
---
django/contrib/admin/widgets.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
index 26de9c7..64f3af5 100644
--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
@@ -15,6 +15,7 @@ from django.template.loader import render_to_string
from django.urls import reverse
from django.urls.exceptions import NoReverseMatch
from django.utils import six
+from django.utils.http import urlencode
from django.utils.encoding import force_text
from django.utils.html import format_html, format_html_join, smart_urlquote
from django.utils.safestring import mark_safe
@@ -166,7 +167,7 @@ class ForeignKeyRawIdWidget(forms.TextInput):
params = self.url_parameters()
if params:
- url = '?' + '&'.join('%s=%s' % (k, v) for k, v in params.items())
+ url = '?' + urlencode(params)
else:
url = ''
if "class" not in attrs:
|
