Add URLvalidator to validate in admin widget

This is the same method that was introduced for CVE-2019-12308: AdminURLFieldWidgetXSS.
jazzband · Sep 28, 2022 · 83f61bd · 83f61bd
1 parent 7fb80a5
commit 83f61bd
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/embed_video/admin.py b/embed_video/admin.py
@@ -1,4 +1,6 @@
 from django import forms
+from django.core.validators import URLValidator
+from django.core.exceptions import ValidationError
 from django.utils.safestring import mark_safe
 
 from embed_video.backends import (
@@ -33,6 +35,7 @@ def __init__(self, attrs=None):
         :type attrs: dict
         """
         default_attrs = {"size": "40"}
+        self.validator = URLValidator()
 
         if attrs:
             default_attrs.update(attrs)
@@ -51,13 +54,14 @@ def render(self, name, value="", attrs=None, size=(420, 315), renderer=None):
             return output
 
         try:
+            self.validator(value)
             backend = detect_backend(value)
             return mark_safe(
                 self.output_format.format(
                     video=backend.get_embed_code(*size), input=output
                 )
             )
-        except (UnknownBackendException, VideoDoesntExistException):
+        except (UnknownBackendException, ValidationError, VideoDoesntExistException):
             return output