Escape data-clipboard-content attribute in Image Uploads admin (#2301)

Author: charlesroelli

blog/admin.py

@@ -2,7 +2,7 @@
 
 from django.contrib import admin
 from django.urls import reverse
-from django.utils.html import format_html, format_html_join
+from django.utils.html import escape, format_html, format_html_join
 from django.utils.translation import gettext as _, gettext_lazy
 from sorl.thumbnail import get_thumbnail
 
@@ -80,7 +80,7 @@ def _get_copy_button(self, obj, contentformat):
         source = contentformat.img(obj.image.url, obj.alt_text)
         return format_html(
             '<button type="button" data-clipboard-content="{}">{}</button>',
-            source,
+            escape(source),
             contentformat.label,
         )
 

blog/tests.py

@@ -4,6 +4,7 @@
 
 import time_machine
 from django.conf import settings
+from django.contrib import admin
 from django.contrib.auth.models import Permission, User
 from django.contrib.contenttypes.models import ContentType
 from django.core.files.base import ContentFile
@@ -619,3 +620,18 @@ def test_alt_text_html_escape(self):
                     ContentFormat.to_html(cf, img_tag),
                     expected,
                 )
+
+    def test_copy_button(self):
+        i = ImageUpload.objects.create(
+            title="test",
+            alt_text='Alt text "here"',
+            image=ContentFile(b".", name="test.png"),
+        )
+        self.assertInHTML(
+            '<button type="button" data-clipboard-content='
+            f'"&lt;img src=&quot;/m/{i.image}&quot; '
+            'alt=&quot;Alt text &amp;quot;here&amp;quot;&quot;&gt;">'
+            "Raw HTML"
+            "</button>",
+            admin.site.get_model_admin(ImageUpload).copy_buttons(i),
+        )