XSS in select dropdowns

[samupl]

During our testing, @KubaGorski found a XSS vulnerability in the select dropdown rendering.

The bug is found in chainedfk.js#L41 and chainedm2m.js#L54.

You can trigger the XSS while having a model with __str__ method that returns arbitrary javascript code, and can be dangerous if have chained models with __str__ methods using fields that are filled in by users, for example:

class Comment(models.Model):
    text = models.CharField(max_length=128)
    
    def __str__(self):
        return self.text

And if the text field contains something like Lorem ipsum <script>alert(123)</script>, the javascript code will be executed in the django admin interface, which can lead to data leak, credential stealing or attacks on particular browser vulnerabilities of the site admin.

[samupl]

I have created a pull request that fixes this bug: #172

[blag]

I will upload a new release to PyPI containing this fix, and remove previous (insecure) versions from PyPI.

Thanks for your help!

[samupl]

You're welcome ;)

[blag]

Your changes are in version 1.2.9 and are now on PyPI.

People reading this in the future

I dug through the history - this has been a security flaw since the first initial commit, so I removed all versions below 1.2.9 from PyPI. I know this will break people's builds, and I'm sorry. Please upgrade to version 1.2.9 or higher (whatever the latest version is). If you truly need to use any previous versions, you can specify the commit to use. See this Stack Overflow post for examples, but I am making this difficult for a reason: you should not do this.