=== modified file 'django/contrib/admin/media/js/admin/RelatedObjectLookups.js'
|
|
|
1 | 1 | // Handles related-objects functionality: lookup link for raw_id_admin=True |
2 | 2 | // and Add Another links. |
3 | 3 | |
| 4 | function html_unescape(text) { |
| 5 | // Unescape a string that was escaped using django.utils.html.escape. |
| 6 | text = text.replace(/</g, '<'); |
| 7 | text = text.replace(/>/g, '>'); |
| 8 | text = text.replace(/&/g, '&'); |
| 9 | text = text.replace(/"/g, '"'); |
| 10 | text = text.replace(/'/g, "'"); |
| 11 | return text; |
| 12 | } |
| 13 | |
4 | 14 | function showRelatedObjectLookupPopup(triggeringLink) { |
5 | 15 | var name = triggeringLink.id.replace(/^lookup_/, ''); |
6 | 16 | // IE doesn't like periods in the window name, so convert temporarily. |
… |
… |
|
42 | 52 | } |
43 | 53 | |
44 | 54 | function dismissAddAnotherPopup(win, newId, newRepr) { |
| 55 | // newId and newRepr are expected to have previously been escaped by |
| 56 | // django.utils.html.escape. |
| 57 | newId = html_unescape(newId); |
| 58 | newRepr = html_unescape(newRepr); |
45 | 59 | var name = win.name.replace(/___/g, '.'); |
46 | 60 | var elem = document.getElementById(name); |
47 | 61 | if (elem) { |
=== modified file 'django/contrib/admin/views/main.py'
|
|
|
270 | 270 | post_url_continue += "?_popup=1" |
271 | 271 | return HttpResponseRedirect(post_url_continue % pk_value) |
272 | 272 | if "_popup" in request.POST: |
273 | | if type(pk_value) is str: # Quote if string, so JavaScript doesn't think it's a variable. |
274 | | pk_value = '"%s"' % pk_value.replace('"', '\\"') |
275 | | return HttpResponse('<script type="text/javascript">opener.dismissAddAnotherPopup(window, %s, "%s");</script>' % \ |
276 | | (pk_value, force_unicode(new_object).replace('"', '\\"'))) |
| 273 | return HttpResponse('<script type="text/javascript">opener.dismissAddAnotherPopup(window, "%s", "%s");</script>' % \ |
| 274 | # escape() calls force_unicode. |
| 275 | (escape(pk_value), escape(new_object))) |
277 | 276 | elif "_addanother" in request.POST: |
278 | 277 | request.user.message_set.create(message=msg + ' ' + (_("You may add another %s below.") % force_unicode(opts.verbose_name))) |
279 | 278 | return HttpResponseRedirect(request.path) |