Ticket #2359: 03-admin-changes.diff

File 03-admin-changes.diff, 36.9 KB (added by Malcolm Tredinnick, 18 years ago)

Changes to contrib/admin/

  • django/contrib/admin/filterspecs.py

    Changes to admin app to make it use autoescaping.
    
    From:  <>
    
    
    ---
    
     django/contrib/admin/filterspecs.py                |    3 ++-
     django/contrib/admin/models.py                     |    3 ++-
     django/contrib/admin/templates/admin/base.html     |   10 +++++---
     .../contrib/admin/templates/admin/base_site.html   |    2 +-
     .../contrib/admin/templates/admin/change_form.html |    4 ++--
     .../contrib/admin/templates/admin/change_list.html |    2 +-
     .../admin/templates/admin/date_hierarchy.html      |    4 ++--
     .../admin/templates/admin/delete_confirmation.html |    4 ++--
     .../admin/templates/admin/edit_inline_stacked.html |    2 +-
     .../admin/templates/admin/edit_inline_tabular.html |    4 ++--
     django/contrib/admin/templates/admin/filter.html   |    2 +-
     django/contrib/admin/templates/admin/index.html    |    6 +++--
     .../admin/templates/admin/invalid_setup.html       |    2 +-
     .../admin/templates/admin/object_history.html      |    6 +++---
     .../contrib/admin/templates/admin/pagination.html  |    2 +-
     .../contrib/admin/templates/admin/search_form.html |    4 ++--
     .../admin/templates/admin_doc/model_detail.html    |   10 +++++-----
     .../admin/templates/admin_doc/template_detail.html |   10 +++++-----
     .../admin/templates/admin_doc/view_detail.html     |    2 +-
     django/contrib/admin/templates/widget/foreign.html |    2 +-
     .../contrib/admin/templates/widget/one_to_one.html |    2 +-
     django/contrib/admin/templatetags/admin_list.py    |   11 +++++----
     django/contrib/admin/templatetags/admin_modify.py  |   14 +++++++-----
     django/contrib/admin/utils.py                      |    3 ++-
     django/contrib/admin/views/decorators.py           |    2 +-
     django/contrib/admin/views/doc.py                  |    3 ++-
     django/contrib/admin/views/main.py                 |   24 +++++++++++---------
     27 files changed, 77 insertions(+), 66 deletions(-)
    
    diff --git a/django/contrib/admin/filterspecs.py b/django/contrib/admin/filterspecs.py
    index 8c2b821..c108f6e 100644
    a b certain test -- e.g. being a DateField o  
    77"""
    88
    99from django.db import models
     10from django.utils import html
    1011import datetime
    1112
    1213class FilterSpec(object):
    class FilterSpec(object):  
    3738    def output(self, cl):
    3839        t = []
    3940        if self.has_output():
    40             t.append(_('<h3>By %s:</h3>\n<ul>\n') % self.title())
     41            t.append(_('<h3>By %s:</h3>\n<ul>\n') % html.escape(self.title()))
    4142
    4243            for choice in self.choices(cl):
    4344                t.append('<li%s><a href="%s">%s</a></li>\n' % \
  • django/contrib/admin/models.py

    diff --git a/django/contrib/admin/models.py b/django/contrib/admin/models.py
    index 022d20b..0f45f35 100644
    a b from django.db import models  
    22from django.contrib.contenttypes.models import ContentType
    33from django.contrib.auth.models import User
    44from django.utils.translation import gettext_lazy as _
     5from django.utils.safestring import mark_safe
    56
    67ADDITION = 1
    78CHANGE = 2
    class LogEntry(models.Model):  
    4849        Returns the admin URL to edit the object represented by this log entry.
    4950        This is relative to the Django admin index page.
    5051        """
    51         return "%s/%s/%s/" % (self.content_type.app_label, self.content_type.model, self.object_id)
     52        return mark_safe("%s/%s/%s/" % (self.content_type.app_label, self.content_type.model, self.object_id))
  • django/contrib/admin/templates/admin/base.html

    diff --git a/django/contrib/admin/templates/admin/base.html b/django/contrib/admin/templates/admin/base.html
    index 41514e6..c505dc0 100644
    a b  
    1212<body class="{% if is_popup %}popup {% endif %}{% block bodyclass %}{% endblock %}">
    1313
    1414<!-- Container -->
     15{% autoescape %}
    1516<div id="container">
    1617
    1718    {% if not is_popup %}
     
    2122        {% block branding %}{% endblock %}
    2223        </div>
    2324        {% if user.is_authenticated and user.is_staff %}
    24         <div id="user-tools">{% trans 'Welcome,' %} <strong>{% if user.first_name %}{{ user.first_name|escape }}{% else %}{{ user.username }}{% endif %}</strong>. {% block userlinks %}<a href="doc/">{% trans 'Documentation' %}</a> / <a href="password_change/">{% trans 'Change password' %}</a> / <a href="logout/">{% trans 'Log out' %}</a>{% endblock %}</div>
     25        <div id="user-tools">{% trans 'Welcome,' %} <strong>{% if user.first_name %}{{ user.first_name }}{% else %}{{ user.username }}{% endif %}</strong>. {% block userlinks %}<a href="doc/">{% trans 'Documentation' %}</a> / <a href="password_change/">{% trans 'Change password' %}</a> / <a href="logout/">{% trans 'Log out' %}</a>{% endblock %}</div>
    2526        {% endif %}
    2627        {% block nav-global %}{% endblock %}
    2728    </div>
    2829    <!-- END Header -->
    29     {% block breadcrumbs %}<div class="breadcrumbs"><a href="/">{% trans 'Home' %}</a>{% if title %} &rsaquo; {{ title|escape }}{% endif %}</div>{% endblock %}
     30    {% block breadcrumbs %}<div class="breadcrumbs"><a href="/">{% trans 'Home' %}</a>{% if title %} &rsaquo; {{ title }}{% endif %}</div>{% endblock %}
    3031    {% endif %}
    3132
    3233        {% if messages %}
    33         <ul class="messagelist">{% for message in messages %}<li>{{ message|escape }}</li>{% endfor %}</ul>
     34        <ul class="messagelist">{% for message in messages %}<li>{{ message }}</li>{% endfor %}</ul>
    3435        {% endif %}
    3536
    3637    <!-- Content -->
    3738    <div id="content" class="{% block coltype %}colM{% endblock %}">
    3839        {% block pretitle %}{% endblock %}
    39         {% block content_title %}{% if title %}<h1>{{ title|escape }}</h1>{% endif %}{% endblock %}
     40        {% block content_title %}{% if title %}<h1>{{ title }}</h1>{% endif %}{% endblock %}
    4041        {% block content %}{{ content }}{% endblock %}
    4142        {% block sidebar %}{% endblock %}
    4243        <br class="clear" />
     
    4546
    4647    {% block footer %}<div id="footer"></div>{% endblock %}
    4748</div>
     49{% endautoescape %}
    4850<!-- END Container -->
    4951
    5052</body>
  • django/contrib/admin/templates/admin/base_site.html

    diff --git a/django/contrib/admin/templates/admin/base_site.html b/django/contrib/admin/templates/admin/base_site.html
    index 2bc7310..b867bd2 100644
    a b  
    11{% extends "admin/base.html" %}
    22{% load i18n %}
    33
    4 {% block title %}{{ title|escape }} | {% trans 'Django site admin' %}{% endblock %}
     4{% block title %}{{ title }} | {% trans 'Django site admin' %}{% endblock %}
    55
    66{% block branding %}
    77<h1 id="site-name">{% trans 'Django administration' %}</h1>
  • django/contrib/admin/templates/admin/change_form.html

    diff --git a/django/contrib/admin/templates/admin/change_form.html b/django/contrib/admin/templates/admin/change_form.html
    index e61eb55..d22cfa8 100644
    a b  
    1111{% block breadcrumbs %}{% if not is_popup %}
    1212<div class="breadcrumbs">
    1313     <a href="../../../">{% trans "Home" %}</a> &rsaquo;
    14      <a href="../">{{ opts.verbose_name_plural|capfirst|escape }}</a> &rsaquo;
    15      {% if add %}{% trans "Add" %} {{ opts.verbose_name|escape }}{% else %}{{ original|truncatewords:"18"|escape }}{% endif %}
     14     <a href="../">{{ opts.verbose_name_plural|capfirst }}</a> &rsaquo;
     15     {% if add %}{% trans "Add" %} {{ opts.verbose_name }}{% else %}{{ original|truncatewords:"18" }}{% endif %}
    1616</div>
    1717{% endif %}{% endblock %}
    1818{% block content %}<div id="content-main">
  • django/contrib/admin/templates/admin/change_list.html

    diff --git a/django/contrib/admin/templates/admin/change_list.html b/django/contrib/admin/templates/admin/change_list.html
    index bd2304b..2c8ff3e 100644
    a b  
    33{% block stylesheet %}{% admin_media_prefix %}css/changelists.css{% endblock %}
    44{% block bodyclass %}change-list{% endblock %}
    55{% block userlinks %}<a href="../../doc/">{% trans 'Documentation' %}</a> / <a href="../../password_change/">{% trans 'Change password' %}</a> / <a href="../../logout/">{% trans 'Log out' %}</a>{% endblock %}
    6 {% if not is_popup %}{% block breadcrumbs %}<div class="breadcrumbs"><a href="../../">{% trans "Home" %}</a> &rsaquo; {{ cl.opts.verbose_name_plural|capfirst|escape }}</div>{% endblock %}{% endif %}
     6{% if not is_popup %}{% block breadcrumbs %}<div class="breadcrumbs"><a href="../../">{% trans "Home" %}</a> &rsaquo; {{ cl.opts.verbose_name_plural|capfirst }}</div>{% endblock %}{% endif %}
    77{% block coltype %}flex{% endblock %}
    88{% block content %}
    99<div id="content-main">
  • django/contrib/admin/templates/admin/date_hierarchy.html

    diff --git a/django/contrib/admin/templates/admin/date_hierarchy.html b/django/contrib/admin/templates/admin/date_hierarchy.html
    index d2d6961..0058510 100644
    a b  
    11{% if show %}
    22<div class="xfull">
    33<ul class="toplinks">
    4 {% if back %}<li class="date-back"><a href="{{ back.link }}">&lsaquo; {{ back.title|escape }}</a></li>{% endif %}
     4{% if back %}<li class="date-back"><a href="{{ back.link }}">&lsaquo; {{ back.title }}</a></li>{% endif %}
    55{% for choice in choices %}
    6 <li> {% if choice.link %}<a href="{{ choice.link }}">{% endif %}{{ choice.title|escape }}{% if choice.link %}</a>{% endif %}</li>
     6<li> {% if choice.link %}<a href="{{ choice.link }}">{% endif %}{{ choice.title }}{% if choice.link %}</a>{% endif %}</li>
    77{% endfor %}
    88</ul><br class="clear" />
    99</div>
  • django/contrib/admin/templates/admin/delete_confirmation.html

    diff --git a/django/contrib/admin/templates/admin/delete_confirmation.html b/django/contrib/admin/templates/admin/delete_confirmation.html
    index 3921ab6..7402018 100644
    a b  
    44{% block breadcrumbs %}
    55<div class="breadcrumbs">
    66     <a href="../../../../">{% trans "Home" %}</a> &rsaquo;
    7      <a href="../../">{{ opts.verbose_name_plural|capfirst|escape }}</a> &rsaquo;
     7     <a href="../../">{{ opts.verbose_name_plural|capfirst }}</a> &rsaquo;
    88     <a href="../">{{ object|escape|truncatewords:"18" }}</a> &rsaquo;
    99     {% trans 'Delete' %}
    1010</div>
     
    1414    <p>{% blocktrans with object|escape as escaped_object %}Deleting the {{ object_name }} '{{ escaped_object }}' would result in deleting related objects, but your account doesn't have permission to delete the following types of objects:{% endblocktrans %}</p>
    1515    <ul>
    1616    {% for obj in perms_lacking %}
    17         <li>{{ obj|escape }}</li>
     17        <li>{{ obj }}</li>
    1818    {% endfor %}
    1919    </ul>
    2020{% else %}
  • django/contrib/admin/templates/admin/edit_inline_stacked.html

    diff --git a/django/contrib/admin/templates/admin/edit_inline_stacked.html b/django/contrib/admin/templates/admin/edit_inline_stacked.html
    index 48ecc69..45aa0a4 100644
    a b  
    11{% load admin_modify %}
    22<fieldset class="module aligned">
    33   {% for fcw in bound_related_object.form_field_collection_wrappers %}
    4       <h2>{{ bound_related_object.relation.opts.verbose_name|capfirst|escape }}&nbsp;#{{ forloop.counter }}</h2>
     4      <h2>{{ bound_related_object.relation.opts.verbose_name|capfirst }}&nbsp;#{{ forloop.counter }}</h2>
    55      {% if bound_related_object.show_url %}{% if fcw.obj.original %}
    66      <p><a href="/r/{{ fcw.obj.original.content_type_id }}/{{ fcw.obj.original.id }}/">View on site</a></p>
    77      {% endif %}{% endif %}
  • django/contrib/admin/templates/admin/edit_inline_tabular.html

    diff --git a/django/contrib/admin/templates/admin/edit_inline_tabular.html b/django/contrib/admin/templates/admin/edit_inline_tabular.html
    index 13d5283..e9535df 100644
    a b  
    11{% load admin_modify %}
    22<fieldset class="module">
    3    <h2>{{ bound_related_object.relation.opts.verbose_name_plural|capfirst|escape }}</h2><table>
     3   <h2>{{ bound_related_object.relation.opts.verbose_name_plural|capfirst }}</h2><table>
    44   <thead><tr>
    55   {% for fw in bound_related_object.field_wrapper_list %}
    66      {% if fw.needs_header %}
    7          <th{{ fw.header_class_attribute }}>{{ fw.field.verbose_name|capfirst|escape }}</th>
     7         <th{{ fw.header_class_attribute }}>{{ fw.field.verbose_name|capfirst }}</th>
    88      {% endif %}
    99   {% endfor %}
    1010   {% for fcw in bound_related_object.form_field_collection_wrappers %}
  • django/contrib/admin/templates/admin/filter.html

    diff --git a/django/contrib/admin/templates/admin/filter.html b/django/contrib/admin/templates/admin/filter.html
    index 8b5b521..2a1ced8 100644
    a b  
    33<ul>
    44{% for choice in choices %}
    55    <li{% if choice.selected %} class="selected"{% endif %}>
    6     <a href="{{ choice.query_string }}">{{ choice.display|escape }}</a></li>
     6    <a href="{{ choice.query_string|safe }}">{{ choice.display }}</a></li>
    77{% endfor %}
    88</ul>
  • django/contrib/admin/templates/admin/index.html

    diff --git a/django/contrib/admin/templates/admin/index.html b/django/contrib/admin/templates/admin/index.html
    index aa63c14..4efbd32 100644
    a b  
    1919        {% for model in app.models %}
    2020            <tr>
    2121            {% if model.perms.change %}
    22                 <th scope="row"><a href="{{ model.admin_url }}">{{ model.name|escape }}</a></th>
     22                <th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>
    2323            {% else %}
    24                 <th scope="row">{{ model.name|escape }}</th>
     24                <th scope="row">{{ model.name }}</th>
    2525            {% endif %}
    2626
    2727            {% if model.perms.add %}
     
    5858            {% else %}
    5959            <ul class="actionlist">
    6060            {% for entry in admin_log %}
    61                 <li class="{% if entry.is_addition %}addlink{% endif %}{% if entry.is_change %}changelink{% endif %}{% if entry.is_deletion %}deletelink{% endif %}">{% if not entry.is_deletion %}<a href="{{ entry.get_admin_url }}">{% endif %}{{ entry.object_repr|escape }}{% if not entry.is_deletion %}</a>{% endif %}<br /><span class="mini quiet">{{ entry.content_type.name|capfirst|escape }}</span></li>
     61                <li class="{% if entry.is_addition %}addlink{% endif %}{% if entry.is_change %}changelink{% endif %}{% if entry.is_deletion %}deletelink{% endif %}">{% if not entry.is_deletion %}<a href="{{ entry.get_admin_url }}">{% endif %}{{ entry.object_repr }}{% if not entry.is_deletion %}</a>{% endif %}<br /><span class="mini quiet">{{ entry.content_type.name|capfirst }}</span></li>
    6262            {% endfor %}
    6363            </ul>
    6464            {% endif %}
  • django/contrib/admin/templates/admin/invalid_setup.html

    diff --git a/django/contrib/admin/templates/admin/invalid_setup.html b/django/contrib/admin/templates/admin/invalid_setup.html
    index 1d7d61f..1fa0d32 100644
    a b  
    11{% extends "admin/base_site.html" %}
    22{% load i18n %}
    33
    4 {% block breadcrumbs %}<div class="breadcrumbs"><a href="../../">{% trans 'Home' %}</a> &rsaquo; {{ title|escape }}</div>{% endblock %}
     4{% block breadcrumbs %}<div class="breadcrumbs"><a href="../../">{% trans 'Home' %}</a> &rsaquo; {{ title }}</div>{% endblock %}
    55
    66{% block content %}
    77
  • django/contrib/admin/templates/admin/object_history.html

    diff --git a/django/contrib/admin/templates/admin/object_history.html b/django/contrib/admin/templates/admin/object_history.html
    index 14a77b8..5ebd6a4 100644
    a b  
    22{% load i18n %}
    33{% block userlinks %}<a href="../../../../doc/">{% trans 'Documentation' %}</a> / <a href="../../../../password_change/">{% trans 'Change password' %}</a> / <a href="../../../../logout/">{% trans 'Log out' %}</a>{% endblock %}
    44{% block breadcrumbs %}
    5 <div class="breadcrumbs"><a href="../../../../">{% trans 'Home' %}</a> &rsaquo; <a href="../../">{{ module_name|escape }}</a> &rsaquo; <a href="../">{{ object|escape|truncatewords:"18" }}</a> &rsaquo; {% trans 'History' %}</div>
     5<div class="breadcrumbs"><a href="../../../../">{% trans 'Home' %}</a> &rsaquo; <a href="../../">{{ module_name }}</a> &rsaquo; <a href="../">{{ object|truncatewords:"18" }}</a> &rsaquo; {% trans 'History' %}</div>
    66{% endblock %}
    77
    88{% block content %}
     
    2424        {% for action in action_list %}
    2525        <tr>
    2626            <th scope="row">{{ action.action_time|date:_("DATE_WITH_TIME_FULL") }}</th>
    27             <td>{{ action.user.username }}{% if action.user.first_name %} ({{ action.user.first_name|escape }} {{ action.user.last_name|escape }}){% endif %}</td>
    28             <td>{{ action.change_message|escape }}</td>
     27            <td>{{ action.user.username }}{% if action.user.first_name %} ({{ action.user.first_name }} {{ action.user.last_name }}){% endif %}</td>
     28            <td>{{ action.change_message }}</td>
    2929        </tr>
    3030        {% endfor %}
    3131        </tbody>
  • django/contrib/admin/templates/admin/pagination.html

    diff --git a/django/contrib/admin/templates/admin/pagination.html b/django/contrib/admin/templates/admin/pagination.html
    index e1c09b2..0640a46 100644
    a b  
    66    {% paginator_number cl i %}
    77{% endfor %}
    88{% endif %}
    9 {{ cl.result_count }} {% ifequal cl.result_count 1 %}{{ cl.opts.verbose_name|escape }}{% else %}{{ cl.opts.verbose_name_plural|escape }}{% endifequal %}
     9{{ cl.result_count }} {% ifequal cl.result_count 1 %}{{ cl.opts.verbose_name|escape }}{% else %}{{ cl.opts.verbose_name_plural }}{% endifequal %}
    1010{% if show_all_url %}&nbsp;&nbsp;<a href="{{ show_all_url }}" class="showall">{% trans 'Show all' %}</a>{% endif %}
    1111</p>
  • django/contrib/admin/templates/admin/search_form.html

    diff --git a/django/contrib/admin/templates/admin/search_form.html b/django/contrib/admin/templates/admin/search_form.html
    index d9126c3..9e40d5e 100644
    a b  
    44<div id="toolbar"><form id="changelist-search" action="" method="get">
    55<div><!-- DIV needed for valid HTML -->
    66<label for="searchbar"><img src="{% admin_media_prefix %}img/admin/icon_searchbox.png" alt="Search" /></label>
    7 <input type="text" size="40" name="{{ search_var }}" value="{{ cl.query|escape }}" id="searchbar" />
     7<input type="text" size="40" name="{{ search_var }}" value="{{ cl.query }}" id="searchbar" />
    88<input type="submit" value="{% trans 'Go' %}" />
    99{% if show_result_count %}
    1010    <span class="small quiet">{% blocktrans count cl.result_count as counter %}1 result{% plural %}{{ counter }} results{% endblocktrans %} (<a href="?">{% blocktrans with cl.full_result_count as full_result_count %}{{ full_result_count }} total{% endblocktrans %}</a>)</span>
    1111{% endif %}
    1212{% for pair in cl.params.items %}
    13     {% ifnotequal pair.0 search_var %}<input type="hidden" name="{{ pair.0|escape }}" value="{{ pair.1|escape }}"/>{% endifnotequal %}
     13    {% ifnotequal pair.0 search_var %}<input type="hidden" name="{{ pair.0 }}" value="{{ pair.1 }}"/>{% endifnotequal %}
    1414{% endfor %}
    1515</div>
    1616</form></div>
  • django/contrib/admin/templates/admin_doc/model_detail.html

    diff --git a/django/contrib/admin/templates/admin_doc/model_detail.html b/django/contrib/admin/templates/admin_doc/model_detail.html
    index 44fc43e..5cb9a94 100644
    a b  
    99</style>
    1010{% endblock %}
    1111
    12 {% block breadcrumbs %}<div class="breadcrumbs"><a href="../../../">Home</a> &rsaquo; <a href="../../">Documentation</a> &rsaquo; <a href="../">Models</a> &rsaquo; {{ name|escape }}</div>{% endblock %}
     12{% block breadcrumbs %}<div class="breadcrumbs"><a href="../../../">Home</a> &rsaquo; <a href="../../">Documentation</a> &rsaquo; <a href="../">Models</a> &rsaquo; {{ name }}</div>{% endblock %}
    1313
    14 {% block title %}Model: {{ name|escape }}{% endblock %}
     14{% block title %}Model: {{ name }}{% endblock %}
    1515
    1616{% block content %}
    1717<div id="content-main">
    18 <h1>{{ summary|escape }}</h1>
     18<h1>{{ summary }}</h1>
    1919
    2020{% if description %}
    21   <p>{% filter escape|linebreaksbr %}{% trans description %}{% endfilter %}</p>
     21  <p>{% filter linebreaksbr %}{% trans description %}{% endfilter %}</p>
    2222{% endif %}
    2323
    2424<div class="module">
     
    3535<tr>
    3636    <td>{{ field.name }}</td>
    3737    <td>{{ field.data_type }}</td>
    38     <td>{% if field.verbose %}{{ field.verbose|escape }}{% endif %}{% if field.help_text %} - {{ field.help_text|escape }}{% endif %}</td>
     38    <td>{% if field.verbose %}{{ field.verbose }}{% endif %}{% if field.help_text %} - {{ field.help_text }}{% endif %}</td>
    3939</tr>
    4040{% endfor %}
    4141</tbody>
  • django/contrib/admin/templates/admin_doc/template_detail.html

    diff --git a/django/contrib/admin/templates/admin_doc/template_detail.html b/django/contrib/admin/templates/admin_doc/template_detail.html
    index 280ea91..df67f18 100644
    a b  
    11{% extends "admin/base_site.html" %}
    22{% load i18n %}
    3 {% block breadcrumbs %}<div class="breadcrumbs"><a href="../../../">Home</a> &rsaquo; <a href="../../">Documentation</a> &rsaquo; Templates &rsaquo; {{ name|escape }}</div>{% endblock %}
     3{% block breadcrumbs %}<div class="breadcrumbs"><a href="../../../">Home</a> &rsaquo; <a href="../../">Documentation</a> &rsaquo; Templates &rsaquo; {{ name }}</div>{% endblock %}
    44{% block userlinks %}<a href="../../../password_change/">{% trans 'Change password' %}</a> / <a href="../../../logout/">{% trans 'Log out' %}</a>{% endblock %}
    55
    6 {% block title %}Template: {{ name|escape }}{% endblock %}
     6{% block title %}Template: {{ name }}{% endblock %}
    77
    88{% block content %}
    9 <h1>Template: "{{ name|escape }}"</h1>
     9<h1>Template: "{{ name }}"</h1>
    1010
    1111{% regroup templates|dictsort:"site_id" by site as templates_by_site %}
    1212{% for group in templates_by_site %}
    13     <h2>Search path for template "{{ name|escape }}" on {{ group.grouper }}:</h2>
     13    <h2>Search path for template "{{ name }}" on {{ group.grouper }}:</h2>
    1414    <ol>
    1515    {% for template in group.list|dictsort:"order" %}
    16         <li><code>{{ template.file|escape }}</code>{% if not template.exists %} <em>(does not exist)</em>{% endif %}</li>
     16        <li><code>{{ template.file }}</code>{% if not template.exists %} <em>(does not exist)</em>{% endif %}</li>
    1717    {% endfor %}
    1818    </ol>
    1919{% endfor %}
  • django/contrib/admin/templates/admin_doc/view_detail.html

    diff --git a/django/contrib/admin/templates/admin_doc/view_detail.html b/django/contrib/admin/templates/admin_doc/view_detail.html
    index ed90657..ba90399 100644
    a b  
    88
    99<h1>{{ name }}</h1>
    1010
    11 <h2 class="subhead">{{ summary|escape }}</h2>
     11<h2 class="subhead">{{ summary }}</h2>
    1212
    1313<p>{{ body }}</p>
    1414
  • django/contrib/admin/templates/widget/foreign.html

    diff --git a/django/contrib/admin/templates/widget/foreign.html b/django/contrib/admin/templates/widget/foreign.html
    index 301f521..6b43d04 100644
    a b  
    1515        {{ bound_field.original_value }}
    1616    {% endif %}
    1717    {% if bound_field.raw_id_admin %}
    18         {% if bound_field.existing_display %}&nbsp;<strong>{{ bound_field.existing_display|truncatewords:"14"|escape }}</strong>{% endif %}
     18        {% if bound_field.existing_display %}&nbsp;<strong>{{ bound_field.existing_display|truncatewords:"14" }}</strong>{% endif %}
    1919    {% endif %}
    2020{% endif %}
  • django/contrib/admin/templates/widget/one_to_one.html

    diff --git a/django/contrib/admin/templates/widget/one_to_one.html b/django/contrib/admin/templates/widget/one_to_one.html
    index efd0117..a79a123 100644
    a b  
    11{% if add %}{% include "widget/foreign.html" %}{% endif %}
    2 {% if change %}{% if bound_field.existing_display %}&nbsp;<strong>{{ bound_field.existing_display|truncatewords:"14"|escape }}</strong>{% endif %}{% endif %}
     2{% if change %}{% if bound_field.existing_display %}&nbsp;<strong>{{ bound_field.existing_display|truncatewords:"14" }}</strong>{% endif %}{% endif %}
  • django/contrib/admin/templatetags/admin_list.py

    diff --git a/django/contrib/admin/templatetags/admin_list.py b/django/contrib/admin/templatetags/admin_list.py
    index 832b356..df5c883 100644
    a b from django.db import models  
    66from django.utils import dateformat
    77from django.utils.html import escape
    88from django.utils.text import capfirst
     9from django.utils.safestring import mark_safe
    910from django.utils.translation import get_date_formats, get_partial_date_formats
    1011from django.template import Library
    1112import datetime
    def paginator_number(cl,i):  
    1819    if i == DOT:
    1920        return '... '
    2021    elif i == cl.page_num:
    21         return '<span class="this-page">%d</span> ' % (i+1)
     22        return mark_safe('<span class="this-page">%d</span> ' % (i+1))
    2223    else:
    23         return '<a href="%s"%s>%d</a> ' % (cl.get_query_string({PAGE_VAR: i}), (i == cl.paginator.pages-1 and ' class="end"' or ''), i+1)
     24        return mark_safe('<a href="%s"%s>%d</a> ' % (cl.get_query_string({PAGE_VAR: i}), (i == cl.paginator.pages-1 and ' class="end"' or ''), i+1))
    2425paginator_number = register.simple_tag(paginator_number)
    2526
    2627def pagination(cl):
    def items_for_result(cl, result):  
    169170            first = False
    170171            url = cl.url_for_result(result)
    171172            result_id = str(getattr(result, pk)) # str() is needed in case of 23L (long ints)
    172             yield ('<%s%s><a href="%s"%s>%s</a></%s>' % \
     173            yield mark_safe('<%s%s><a href="%s"%s>%s</a></%s>' % \
    173174                (table_tag, row_class, url, (cl.is_popup and ' onclick="opener.dismissRelatedLookupPopup(window, %r); return false;"' % result_id or ''), result_repr, table_tag))
    174175        else:
    175             yield ('<td%s>%s</td>' % (row_class, result_repr))
     176            yield mark_safe('<td%s>%s</td>' % (row_class, result_repr))
    176177
    177178def results(cl):
    178179    for res in cl.result_list:
    def date_hierarchy(cl):  
    196197        day_lookup = cl.params.get(day_field)
    197198        year_month_format, month_day_format = get_partial_date_formats()
    198199
    199         link = lambda d: cl.get_query_string(d, [field_generic])
     200        link = lambda d: mark_safe(cl.get_query_string(d, [field_generic]))
    200201
    201202        if year_lookup and month_lookup and day_lookup:
    202203            day = datetime.date(int(year_lookup), int(month_lookup), int(day_lookup))
  • django/contrib/admin/templatetags/admin_modify.py

    diff --git a/django/contrib/admin/templatetags/admin_modify.py b/django/contrib/admin/templatetags/admin_modify.py
    index 7ba7bef..5a27d0e 100644
    a b from django import template  
    22from django.contrib.admin.views.main import AdminBoundField
    33from django.template import loader
    44from django.utils.text import capfirst
     5from django.utils.html import escape
     6from django.utils.safestring import mark_safe
    57from django.db import models
    68from django.db.models.fields import Field
    79from django.db.models.related import BoundRelatedObject
    def include_admin_script(script_path):  
    2931        <script type="text/javascript" src="/media/admin/js/calendar.js">
    3032    """
    3133
    32     return '<script type="text/javascript" src="%s%s"></script>' % (settings.ADMIN_MEDIA_PREFIX, script_path)
     34    return mark_safe('<script type="text/javascript" src="%s%s"></script>' % (settings.ADMIN_MEDIA_PREFIX, script_path))
    3335include_admin_script = register.simple_tag(include_admin_script)
    3436
    3537def submit_row(context):
    def field_label(bound_field):  
    6062            class_names.append('inline')
    6163        colon = ":"
    6264    class_str = class_names and ' class="%s"' % ' '.join(class_names) or ''
    63     return '<label for="%s"%s>%s%s</label> ' % (bound_field.element_id, class_str, \
    64         capfirst(bound_field.field.verbose_name), colon)
     65    return mark_safe('<label for="%s"%s>%s%s</label> ' % (bound_field.element_id, class_str, \
     66        escape(capfirst(bound_field.field.verbose_name)), colon))
    6567field_label = register.simple_tag(field_label)
    6668
    6769class FieldWidgetNode(template.Node):
    def auto_populated_field_script(auto_pop  
    188190                     ' var e = document.getElementById("id_%s");' \
    189191                     ' if(!e._changed) { e.value = URLify(%s, %s);} }; ' % (
    190192                     f, field.name, add_values, field.maxlength))
    191     return ''.join(t)
     193    return mark_safe(''.join(t))
    192194auto_populated_field_script = register.simple_tag(auto_populated_field_script)
    193195
    194196def filter_interface_script_maybe(bound_field):
    195197    f = bound_field.field
    196198    if f.rel and isinstance(f.rel, models.ManyToManyRel) and f.rel.filter_interface:
    197         return '<script type="text/javascript">addEvent(window, "load", function(e) {' \
     199        return mark_safe('<script type="text/javascript">addEvent(window, "load", function(e) {' \
    198200              ' SelectFilter.init("id_%s", "%s", %s, "%s"); });</script>\n' % (
    199               f.name, f.verbose_name, f.rel.filter_interface-1, settings.ADMIN_MEDIA_PREFIX)
     201              f.name, escape(f.verbose_name), f.rel.filter_interface-1, settings.ADMIN_MEDIA_PREFIX))
    200202    else:
    201203        return ''
    202204filter_interface_script_maybe = register.simple_tag(filter_interface_script_maybe)
  • django/contrib/admin/utils.py

    diff --git a/django/contrib/admin/utils.py b/django/contrib/admin/utils.py
    index 9adf09b..4a45a62 100644
    a b  
    33import re
    44from email.Parser import HeaderParser
    55from email.Errors import HeaderParseError
     6from django.utils.safestring import mark_safe
    67try:
    78    import docutils.core
    89    import docutils.nodes
    def parse_rst(text, default_reference_co  
    6667    parts = docutils.core.publish_parts(text, source_path=thing_being_parsed,
    6768                destination_path=None, writer_name='html',
    6869                settings_overrides=overrides)
    69     return parts['fragment']
     70    return mark_safe(parts['fragment'])
    7071
    7172#
    7273# reST roles
  • django/contrib/admin/views/decorators.py

    diff --git a/django/contrib/admin/views/decorators.py b/django/contrib/admin/views/decorators.py
    index fce5090..a4c9d99 100644
    a b def _display_login_form(request, error_m  
    2222        post_data = _encode_post_data({})
    2323    return render_to_response('admin/login.html', {
    2424        'title': _('Log in'),
    25         'app_path': request.path,
     25        'app_path': mark_safe(request.path),
    2626        'post_data': post_data,
    2727        'error_message': error_message
    2828    }, context_instance=template.RequestContext(request))
  • django/contrib/admin/views/doc.py

    diff --git a/django/contrib/admin/views/doc.py b/django/contrib/admin/views/doc.py
    index 68799fc..92f2f71 100644
    a b from django.http import Http404, get_hos  
    99from django.core import urlresolvers
    1010from django.contrib.admin import utils
    1111from django.contrib.sites.models import Site
     12from django.utils.safestring import mark_safe
    1213import inspect, os, re
    1314
    1415# Exclude methods starting with these strings from documentation
    def bookmarklets(request):  
    2829    # Hack! This couples this view to the URL it lives at.
    2930    admin_root = request.path[:-len('doc/bookmarklets/')]
    3031    return render_to_response('admin_doc/bookmarklets.html', {
    31         'admin_url': "%s://%s%s" % (request.is_secure() and 'https' or 'http', get_host(request), admin_root),
     32        'admin_url': mark_safe("%s://%s%s" % (request.is_secure() and 'https' or 'http', get_host(request), admin_root)),
    3233    }, context_instance=RequestContext(request))
    3334bookmarklets = staff_member_required(bookmarklets)
    3435
  • django/contrib/admin/views/main.py

    diff --git a/django/contrib/admin/views/main.py b/django/contrib/admin/views/main.py
    index 705dfad..2cca65e 100644
    a b from django.db.models.query import handl  
    1212from django.http import Http404, HttpResponse, HttpResponseRedirect
    1313from django.utils.html import escape
    1414from django.utils.text import capfirst, get_text_list
     15from django.utils.safestring import mark_safe
    1516import operator
    1617
    1718from django.contrib.admin.models import LogEntry, ADDITION, CHANGE, DELETION
    class AdminBoundField(object):  
    129130        self._repr_filled = False
    130131
    131132        if field.rel:
    132             self.related_url = '../../../%s/%s/' % (field.rel.to._meta.app_label, field.rel.to._meta.object_name.lower())
     133            self.related_url = mark_safe('../../../%s/%s/' % (field.rel.to._meta.app_label, field.rel.to._meta.object_name.lower()))
    133134
    134135    def original_value(self):
    135136        if self.original:
    def render_change_form(model, manipulato  
    209210        'javascript_imports': get_javascript_imports(opts, auto_populated_fields, field_sets),
    210211        'ordered_objects': ordered_objects,
    211212        'inline_related_objects': inline_related_objects,
    212         'form_url': form_url,
     213        'form_url': mark_safe(form_url),
    213214        'opts': opts,
    214215        'content_type_id': ContentType.objects.get_for_model(model).id,
    215216    }
    def _get_deleted_objects(deleted_objects  
    430431                    nh(deleted_objects, current_depth, ['%s: %s' % (capfirst(related.opts.verbose_name), sub_obj), []])
    431432                else:
    432433                    # Display a link to the admin page.
    433                     nh(deleted_objects, current_depth, ['%s: <a href="../../../../%s/%s/%s/">%s</a>' % \
    434                         (capfirst(related.opts.verbose_name), related.opts.app_label, related.opts.object_name.lower(),
    435                         sub_obj._get_pk_val(), sub_obj), []])
     434                    nh(deleted_objects, current_depth, [mark_safe('%s: <a href="../../../../%s/%s/%s/">%s</a>' % \
     435                        (escape(capfirst(related.opts.verbose_name)), related.opts.app_label, related.opts.object_name.lower(),
     436                        sub_obj._get_pk_val(), escape(sub_obj))), []])
    436437                _get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2)
    437438        else:
    438439            has_related_objs = False
    def _get_deleted_objects(deleted_objects  
    444445                    nh(deleted_objects, current_depth, ['%s: %s' % (capfirst(related.opts.verbose_name), escape(str(sub_obj))), []])
    445446                else:
    446447                    # Display a link to the admin page.
    447                     nh(deleted_objects, current_depth, ['%s: <a href="../../../../%s/%s/%s/">%s</a>' % \
    448                         (capfirst(related.opts.verbose_name), related.opts.app_label, related.opts.object_name.lower(), sub_obj._get_pk_val(), escape(str(sub_obj))), []])
     448                    nh(deleted_objects, current_depth, [mark_safe('%s: <a href="../../../../%s/%s/%s/">%s</a>' % \
     449                        (escape(capfirst(related.opts.verbose_name)), related.opts.app_label, related.opts.object_name.lower(), sub_obj._get_pk_val(), escape(str(sub_obj)))), []])
    449450                _get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2)
    450451            # If there were related objects, and the user doesn't have
    451452            # permission to delete them, add the missing perm to perms_needed.
    def _get_deleted_objects(deleted_objects  
    473474                else:
    474475                    # Display a link to the admin page.
    475476                    nh(deleted_objects, current_depth, [
    476                         (_('One or more %(fieldname)s in %(name)s:') % {'fieldname': related.field.verbose_name, 'name':related.opts.verbose_name}) + \
     477                        mark_safe((_('One or more %(fieldname)s in %(name)s:') % {'fieldname': escape(related.field.verbose_name), 'name':related.opts.verbose_name}) + \
    477478                        (' <a href="../../../../%s/%s/%s/">%s</a>' % \
    478                             (related.opts.app_label, related.opts.module_name, sub_obj._get_pk_val(), escape(str(sub_obj)))), []])
     479                            (related.opts.app_label, related.opts.module_name, sub_obj._get_pk_val(), escape(str(sub_obj))))), []])
    479480        # If there were related objects, and the user doesn't have
    480481        # permission to change them, add the missing perm to perms_needed.
    481482        if related.opts.admin and has_related_objs:
    def delete_stage(request, app_label, mod  
    496497
    497498    # Populate deleted_objects, a data structure of all related objects that
    498499    # will also be deleted.
    499     deleted_objects = ['%s: <a href="../../%s/">%s</a>' % (capfirst(opts.verbose_name), object_id, escape(str(obj))), []]
     500    deleted_objects = [mark_safe('%s: <a href="../../%s/">%s</a>' %
     501        (escape(capfirst(opts.verbose_name)), object_id, escape(str(obj)))), []]
    500502    perms_needed = sets.Set()
    501503    _get_deleted_objects(deleted_objects, perms_needed, request.user, obj, opts, 1)
    502504
    class ChangeList(object):  
    593595                del p[k]
    594596            elif v is not None:
    595597                p[k] = v
    596         return '?' + '&amp;'.join(['%s=%s' % (k, v) for k, v in p.items()]).replace(' ', '%20')
     598        return mark_safe('?' + '&amp;'.join(['%s=%s' % (k, v) for k, v in p.items()]).replace(' ', '%20'))
    597599
    598600    def get_results(self, request):
    599601        paginator = ObjectPaginator(self.query_set, self.lookup_opts.admin.list_per_page)
Back to Top