#24461 closed Bug (fixed)
Admin readonly_fields pointing to properties (@property) do not get escaped.
| Reported by: | Eran Rundstein | Owned by: | Baptiste Mispelon |
|---|---|---|---|
| Component: | contrib.admin | Version: | 1.7 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hey,
My model has a @property, and I am using readonly_fields to display it. allow_tags is nowhere to be seen, and I believe the culprit is the following code (env/lib/python2.7/site-packages/django/contrib/admin/helpers.py):
result_repr = smart_text(value)
if getattr(attr, "allow_tags", False):
result_repr = mark_safe(result_repr)
else:
result_repr = linebreaksbr(result_repr)
This is used by AdminReadonlyField to render the field. Unfortunately, linebreaksbr replies on the template system autoescape mechanism, which isn't kicking in when calling the filter directly:
In [2]: linebreaksbr('<a>test</a>')
Out[2]: u'<a>test</a>'
In [3]: type(_)
Out[3]: django.utils.safestring.SafeText
Change History (4)
comment:1 by , 11 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Hi,
I can indeed reproduce the issue, thanks for bringing it up.