@@ -35,7 +35,7 @@
{{ field.name }}
{{ field.data_type }}
- {% if field.verbose %}{{ field.verbose|escape }}{% endif %}{% if field.help_text %} - {{ field.help_text|escape }}{% endif %}
+ {% if field.verbose %}{{ field.verbose }}{% endif %}{% if field.help_text %} - {{ field.help_text }}{% endif %}
{% endfor %}
diff --git a/django/contrib/admin/templates/admin_doc/template_detail.html b/django/contrib/admin/templates/admin_doc/template_detail.html
index 280ea91..df67f18 100644
--- a/django/contrib/admin/templates/admin_doc/template_detail.html
+++ b/django/contrib/admin/templates/admin_doc/template_detail.html
@@ -1,19 +1,19 @@
{% extends "admin/base_site.html" %}
{% load i18n %}
-{% block breadcrumbs %}
{% endblock %}
+{% block breadcrumbs %}
{% endblock %}
{% block userlinks %}
{% trans 'Change password' %} /
{% trans 'Log out' %} {% endblock %}
-{% block title %}Template: {{ name|escape }}{% endblock %}
+{% block title %}Template: {{ name }}{% endblock %}
{% block content %}
-
Template: "{{ name|escape }}"
+
Template: "{{ name }}"
{% regroup templates|dictsort:"site_id" by site as templates_by_site %}
{% for group in templates_by_site %}
-
Search path for template "{{ name|escape }}" on {{ group.grouper }}:
+
Search path for template "{{ name }}" on {{ group.grouper }}:
{% for template in group.list|dictsort:"order" %}
- {{ template.file|escape }}{% if not template.exists %} (does not exist) {% endif %}{{ template.file }}{% if not template.exists %} (does not exist) {% endif %}
{% endfor %}
diff --git a/django/contrib/admin/templates/admin_doc/view_detail.html b/django/contrib/admin/templates/admin_doc/view_detail.html
index ed90657..ba90399 100644
--- a/django/contrib/admin/templates/admin_doc/view_detail.html
+++ b/django/contrib/admin/templates/admin_doc/view_detail.html
@@ -8,7 +8,7 @@
{{ name }}
-
{{ summary|escape }}
+
{{ summary }}
{{ body }}
diff --git a/django/contrib/admin/templates/widget/foreign.html b/django/contrib/admin/templates/widget/foreign.html
index 301f521..6b43d04 100644
--- a/django/contrib/admin/templates/widget/foreign.html
+++ b/django/contrib/admin/templates/widget/foreign.html
@@ -15,6 +15,6 @@
{{ bound_field.original_value }}
{% endif %}
{% if bound_field.raw_id_admin %}
- {% if bound_field.existing_display %}
{{ bound_field.existing_display|truncatewords:"14"|escape }} {% endif %}
+ {% if bound_field.existing_display %}
{{ bound_field.existing_display|truncatewords:"14" }} {% endif %}
{% endif %}
{% endif %}
diff --git a/django/contrib/admin/templates/widget/one_to_one.html b/django/contrib/admin/templates/widget/one_to_one.html
index efd0117..a79a123 100644
--- a/django/contrib/admin/templates/widget/one_to_one.html
+++ b/django/contrib/admin/templates/widget/one_to_one.html
@@ -1,2 +1,2 @@
{% if add %}{% include "widget/foreign.html" %}{% endif %}
-{% if change %}{% if bound_field.existing_display %}
{{ bound_field.existing_display|truncatewords:"14"|escape }} {% endif %}{% endif %}
+{% if change %}{% if bound_field.existing_display %}
{{ bound_field.existing_display|truncatewords:"14" }} {% endif %}{% endif %}
diff --git a/django/contrib/admin/templatetags/admin_list.py b/django/contrib/admin/templatetags/admin_list.py
index 832b356..df5c883 100644
--- a/django/contrib/admin/templatetags/admin_list.py
+++ b/django/contrib/admin/templatetags/admin_list.py
@@ -6,6 +6,7 @@ from django.db import models
from django.utils import dateformat
from django.utils.html import escape
from django.utils.text import capfirst
+from django.utils.safestring import mark_safe
from django.utils.translation import get_date_formats, get_partial_date_formats
from django.template import Library
import datetime
@@ -18,9 +19,9 @@ def paginator_number(cl,i):
if i == DOT:
return '... '
elif i == cl.page_num:
- return '
%d ' % (i+1)
+ return mark_safe('
%d ' % (i+1))
else:
- return '
%d ' % (cl.get_query_string({PAGE_VAR: i}), (i == cl.paginator.pages-1 and ' class="end"' or ''), i+1)
+ return mark_safe('
%d ' % (cl.get_query_string({PAGE_VAR: i}), (i == cl.paginator.pages-1 and ' class="end"' or ''), i+1))
paginator_number = register.simple_tag(paginator_number)
def pagination(cl):
@@ -169,10 +170,10 @@ def items_for_result(cl, result):
first = False
url = cl.url_for_result(result)
result_id = str(getattr(result, pk)) # str() is needed in case of 23L (long ints)
- yield ('<%s%s>
%s ' % \
+ yield mark_safe('<%s%s>
%s ' % \
(table_tag, row_class, url, (cl.is_popup and ' onclick="opener.dismissRelatedLookupPopup(window, %r); return false;"' % result_id or ''), result_repr, table_tag))
else:
- yield ('
%s' % (row_class, result_repr))
+ yield mark_safe('%s' % (row_class, result_repr))
def results(cl):
for res in cl.result_list:
@@ -196,7 +197,7 @@ def date_hierarchy(cl):
day_lookup = cl.params.get(day_field)
year_month_format, month_day_format = get_partial_date_formats()
- link = lambda d: cl.get_query_string(d, [field_generic])
+ link = lambda d: mark_safe(cl.get_query_string(d, [field_generic]))
if year_lookup and month_lookup and day_lookup:
day = datetime.date(int(year_lookup), int(month_lookup), int(day_lookup))
diff --git a/django/contrib/admin/templatetags/admin_modify.py b/django/contrib/admin/templatetags/admin_modify.py
index 7ba7bef..5a27d0e 100644
--- a/django/contrib/admin/templatetags/admin_modify.py
+++ b/django/contrib/admin/templatetags/admin_modify.py
@@ -2,6 +2,8 @@ from django import template
from django.contrib.admin.views.main import AdminBoundField
from django.template import loader
from django.utils.text import capfirst
+from django.utils.html import escape
+from django.utils.safestring import mark_safe
from django.db import models
from django.db.models.fields import Field
from django.db.models.related import BoundRelatedObject
@@ -29,7 +31,7 @@ def include_admin_script(script_path):
' % (settings.ADMIN_MEDIA_PREFIX, script_path)
+ return mark_safe('' % (settings.ADMIN_MEDIA_PREFIX, script_path))
include_admin_script = register.simple_tag(include_admin_script)
def submit_row(context):
@@ -60,8 +62,8 @@ def field_label(bound_field):
class_names.append('inline')
colon = ":"
class_str = class_names and ' class="%s"' % ' '.join(class_names) or ''
- return '%s%s ' % (bound_field.element_id, class_str, \
- capfirst(bound_field.field.verbose_name), colon)
+ return mark_safe('%s%s ' % (bound_field.element_id, class_str, \
+ escape(capfirst(bound_field.field.verbose_name)), colon))
field_label = register.simple_tag(field_label)
class FieldWidgetNode(template.Node):
@@ -188,15 +190,15 @@ def auto_populated_field_script(auto_pop
' var e = document.getElementById("id_%s");' \
' if(!e._changed) { e.value = URLify(%s, %s);} }; ' % (
f, field.name, add_values, field.maxlength))
- return ''.join(t)
+ return mark_safe(''.join(t))
auto_populated_field_script = register.simple_tag(auto_populated_field_script)
def filter_interface_script_maybe(bound_field):
f = bound_field.field
if f.rel and isinstance(f.rel, models.ManyToManyRel) and f.rel.filter_interface:
- return '\n' % (
- f.name, f.verbose_name, f.rel.filter_interface-1, settings.ADMIN_MEDIA_PREFIX)
+ f.name, escape(f.verbose_name), f.rel.filter_interface-1, settings.ADMIN_MEDIA_PREFIX))
else:
return ''
filter_interface_script_maybe = register.simple_tag(filter_interface_script_maybe)
diff --git a/django/contrib/admin/utils.py b/django/contrib/admin/utils.py
index 9adf09b..4a45a62 100644
--- a/django/contrib/admin/utils.py
+++ b/django/contrib/admin/utils.py
@@ -3,6 +3,7 @@
import re
from email.Parser import HeaderParser
from email.Errors import HeaderParseError
+from django.utils.safestring import mark_safe
try:
import docutils.core
import docutils.nodes
@@ -66,7 +67,7 @@ def parse_rst(text, default_reference_co
parts = docutils.core.publish_parts(text, source_path=thing_being_parsed,
destination_path=None, writer_name='html',
settings_overrides=overrides)
- return parts['fragment']
+ return mark_safe(parts['fragment'])
#
# reST roles
diff --git a/django/contrib/admin/views/decorators.py b/django/contrib/admin/views/decorators.py
index fce5090..a4c9d99 100644
--- a/django/contrib/admin/views/decorators.py
+++ b/django/contrib/admin/views/decorators.py
@@ -22,7 +22,7 @@ def _display_login_form(request, error_m
post_data = _encode_post_data({})
return render_to_response('admin/login.html', {
'title': _('Log in'),
- 'app_path': request.path,
+ 'app_path': mark_safe(request.path),
'post_data': post_data,
'error_message': error_message
}, context_instance=template.RequestContext(request))
diff --git a/django/contrib/admin/views/doc.py b/django/contrib/admin/views/doc.py
index 68799fc..92f2f71 100644
--- a/django/contrib/admin/views/doc.py
+++ b/django/contrib/admin/views/doc.py
@@ -9,6 +9,7 @@ from django.http import Http404, get_hos
from django.core import urlresolvers
from django.contrib.admin import utils
from django.contrib.sites.models import Site
+from django.utils.safestring import mark_safe
import inspect, os, re
# Exclude methods starting with these strings from documentation
@@ -28,7 +29,7 @@ def bookmarklets(request):
# Hack! This couples this view to the URL it lives at.
admin_root = request.path[:-len('doc/bookmarklets/')]
return render_to_response('admin_doc/bookmarklets.html', {
- 'admin_url': "%s://%s%s" % (request.is_secure() and 'https' or 'http', get_host(request), admin_root),
+ 'admin_url': mark_safe("%s://%s%s" % (request.is_secure() and 'https' or 'http', get_host(request), admin_root)),
}, context_instance=RequestContext(request))
bookmarklets = staff_member_required(bookmarklets)
diff --git a/django/contrib/admin/views/main.py b/django/contrib/admin/views/main.py
index 705dfad..2cca65e 100644
--- a/django/contrib/admin/views/main.py
+++ b/django/contrib/admin/views/main.py
@@ -12,6 +12,7 @@ from django.db.models.query import handl
from django.http import Http404, HttpResponse, HttpResponseRedirect
from django.utils.html import escape
from django.utils.text import capfirst, get_text_list
+from django.utils.safestring import mark_safe
import operator
from django.contrib.admin.models import LogEntry, ADDITION, CHANGE, DELETION
@@ -129,7 +130,7 @@ class AdminBoundField(object):
self._repr_filled = False
if field.rel:
- self.related_url = '../../../%s/%s/' % (field.rel.to._meta.app_label, field.rel.to._meta.object_name.lower())
+ self.related_url = mark_safe('../../../%s/%s/' % (field.rel.to._meta.app_label, field.rel.to._meta.object_name.lower()))
def original_value(self):
if self.original:
@@ -209,7 +210,7 @@ def render_change_form(model, manipulato
'javascript_imports': get_javascript_imports(opts, auto_populated_fields, field_sets),
'ordered_objects': ordered_objects,
'inline_related_objects': inline_related_objects,
- 'form_url': form_url,
+ 'form_url': mark_safe(form_url),
'opts': opts,
'content_type_id': ContentType.objects.get_for_model(model).id,
}
@@ -430,9 +431,9 @@ def _get_deleted_objects(deleted_objects
nh(deleted_objects, current_depth, ['%s: %s' % (capfirst(related.opts.verbose_name), sub_obj), []])
else:
# Display a link to the admin page.
- nh(deleted_objects, current_depth, ['%s: %s ' % \
- (capfirst(related.opts.verbose_name), related.opts.app_label, related.opts.object_name.lower(),
- sub_obj._get_pk_val(), sub_obj), []])
+ nh(deleted_objects, current_depth, [mark_safe('%s: %s ' % \
+ (escape(capfirst(related.opts.verbose_name)), related.opts.app_label, related.opts.object_name.lower(),
+ sub_obj._get_pk_val(), escape(sub_obj))), []])
_get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2)
else:
has_related_objs = False
@@ -444,8 +445,8 @@ def _get_deleted_objects(deleted_objects
nh(deleted_objects, current_depth, ['%s: %s' % (capfirst(related.opts.verbose_name), escape(str(sub_obj))), []])
else:
# Display a link to the admin page.
- nh(deleted_objects, current_depth, ['%s: %s ' % \
- (capfirst(related.opts.verbose_name), related.opts.app_label, related.opts.object_name.lower(), sub_obj._get_pk_val(), escape(str(sub_obj))), []])
+ nh(deleted_objects, current_depth, [mark_safe('%s: %s ' % \
+ (escape(capfirst(related.opts.verbose_name)), related.opts.app_label, related.opts.object_name.lower(), sub_obj._get_pk_val(), escape(str(sub_obj)))), []])
_get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2)
# If there were related objects, and the user doesn't have
# permission to delete them, add the missing perm to perms_needed.
@@ -473,9 +474,9 @@ def _get_deleted_objects(deleted_objects
else:
# Display a link to the admin page.
nh(deleted_objects, current_depth, [
- (_('One or more %(fieldname)s in %(name)s:') % {'fieldname': related.field.verbose_name, 'name':related.opts.verbose_name}) + \
+ mark_safe((_('One or more %(fieldname)s in %(name)s:') % {'fieldname': escape(related.field.verbose_name), 'name':related.opts.verbose_name}) + \
(' %s ' % \
- (related.opts.app_label, related.opts.module_name, sub_obj._get_pk_val(), escape(str(sub_obj)))), []])
+ (related.opts.app_label, related.opts.module_name, sub_obj._get_pk_val(), escape(str(sub_obj))))), []])
# If there were related objects, and the user doesn't have
# permission to change them, add the missing perm to perms_needed.
if related.opts.admin and has_related_objs:
@@ -496,7 +497,8 @@ def delete_stage(request, app_label, mod
# Populate deleted_objects, a data structure of all related objects that
# will also be deleted.
- deleted_objects = ['%s: %s ' % (capfirst(opts.verbose_name), object_id, escape(str(obj))), []]
+ deleted_objects = [mark_safe('%s: %s ' %
+ (escape(capfirst(opts.verbose_name)), object_id, escape(str(obj)))), []]
perms_needed = sets.Set()
_get_deleted_objects(deleted_objects, perms_needed, request.user, obj, opts, 1)
@@ -593,7 +595,7 @@ class ChangeList(object):
del p[k]
elif v is not None:
p[k] = v
- return '?' + '&'.join(['%s=%s' % (k, v) for k, v in p.items()]).replace(' ', '%20')
+ return mark_safe('?' + '&'.join(['%s=%s' % (k, v) for k, v in p.items()]).replace(' ', '%20'))
def get_results(self, request):
paginator = ObjectPaginator(self.query_set, self.lookup_opts.admin.list_per_page)