Opened 18 years ago
Closed 18 years ago
#2505 closed defect (wontfix)
[patch] links in admin_doc for models won't work
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
With Changeset 3350 http://code.djangoproject.com/changeset/3350 the verbose field was escaped to be save.
Since the verbose fields are computed by admin_doc himself it should be safe enough, or not ?
The verbose field for models contains <p> and <a> tags with nice cross reference links.
Maybe its worth enough to let those tags alife again ?
Attachments (1)
Change History (2)
by , 18 years ago
| Attachment: | admin_doc_model_detail.diff added |
|---|
comment:1 by , 18 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
It was decided not to allow verbose names to contain HTML markup. Because they have to be displayed in multiple situations (not just HTML), it becomes too difficult to know when special caharacters have to be escaped or not (always escaping means that you can't put things like "&" in there and also have it work in non-HTML situations).
The fact that admin_doc is going the presentation means nothing here: all it is doing is extracting the value the user entered. So if somebody provides an app with malicious code in a single field's verbose name, it's bad.
There is an argument to be made for making help text be non-escaped, although the above arguments still apply. But verbose names should be escaped.
enable the verbose field of models in admin_doc