Django

Code

Ticket #5490 (closed: fixed)

Opened 1 year ago

Last modified 5 months ago

newforms-admin: Admin pages insufficiently escape special characters in primary keys links

Reported by: jdetaeye Assigned to: brosner
Milestone: 1.0 alpha Component: django.contrib.admin
Version: newforms-admin Keywords: nfa-blocker, ep2008
Cc: jdetaeye@frepple.com, cmawebsite@gmail.com Triage Stage: Ready for checkin
Has patch: 1 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

This is the same issue as reported in #5041, but tested and patched in the newforms-admin.

To reproduce:
- create a model with a string as primary key
- create a record with name ": / # ? ; @ & = + $ , " < > %"

In the admin ui you can now find the following problems:
1) link from the 'change list' to the 'change form' doesn't work
2) the link displayed in the 'recent actions' doesn't work
3) the links displayed on the 'delete confirmation' page doesn't work

Attachments

ecaping_url.patch (7.4 kB) - added by jdetaeye on 09/15/07 06:23:11.
patch
urlquote.diff (2.8 kB) - added by tlpinney on 03/19/08 00:48:44.
urlquote_string_primarekey_with_tests.diff (10.1 kB) - added by shanx on 07/11/08 11:51:55.
Updated patch and added unit tests

Change History

09/15/07 06:23:11 changed by jdetaeye

  • attachment ecaping_url.patch added.

patch

09/15/07 06:29:27 changed by Simon G. <dev@simon.net.nz>

  • needs_better_patch changed.
  • stage changed from Unreviewed to Ready for checkin.
  • needs_tests changed.
  • needs_docs changed.

09/15/07 06:32:07 changed by jdetaeye

  • cc set to jdetaeye@frepple.com.

09/23/07 03:49:00 changed by ubernostrum

  • owner changed from nobody to xian.

Reassigning to Christian so he'll see it, since he's doing newforms-admin template stuff.

12/03/07 00:33:58 changed by jdetaeye

The patch is slightly out of date since the introduction of the auto-escaping...

12/07/07 20:23:57 changed by brosner

  • keywords changed from newforms-admin to nfa-blocker.
  • needs_better_patch set to 1.
  • stage changed from Ready for checkin to Accepted.

This should be included before the merge into trunk. Bumping down to Accepted since it needs a new patch against newforms-admin.

03/19/08 00:48:44 changed by tlpinney

  • attachment urlquote.diff added.

06/16/08 10:45:56 changed by garcia_marc

  • milestone set to 1.0 alpha.

07/10/08 08:52:54 changed by shanx

  • keywords changed from nfa-blocker to nfa-blocker, ep2008.
  • owner changed from xian to shanx.
  • status changed from new to assigned.

I'm having another look at this ticket and the supplied patches

07/10/08 09:57:17 changed by shanx

  • needs_tests set to 1.

These changes at least need tests

07/11/08 06:50:15 changed by shanx

Work for this also seems to have been done in #1375

07/11/08 11:06:29 changed by shanx

Updated patch to include unit tests and changed the locations of where the actual urlquote is being done.

07/11/08 11:51:55 changed by shanx

  • attachment urlquote_string_primarekey_with_tests.diff added.

Updated patch and added unit tests

07/11/08 12:29:53 changed by anonymous

I have tested latest patch with browsers. All test passed. It works fine with Opera 9.51, FF3 and Konqueror 3.5.9.

07/11/08 19:56:33 changed by shanx

Yes I've done the same thing to be sure that the quoting has the same semantics in all browser, I've tested on Safari, FF3 (mac), FF (windows), IE6 & 7 and Camino. Works great. I'll ask Honza to triage this tomorrow and then it can be checked in.

07/12/08 06:23:53 changed by Honza_Kral

  • needs_better_patch deleted.
  • needs_tests deleted.
  • stage changed from Accepted to Ready for checkin.

marking this ready for checkin as part of the sprint, the attached tests pass and it has been tested on firefox, konqueror and IE

07/12/08 11:22:22 changed by brosner

  • owner changed from shanx to brosner.
  • status changed from assigned to new.

07/16/08 06:48:58 changed by anonymous

  • cc changed from jdetaeye@frepple.com to jdetaeye@frepple.com, cmawebsite@gmail.com.

07/16/08 14:21:15 changed by brosner

  • status changed from new to closed.
  • resolution set to fixed.

(In [7935]) newforms-admin: Fixed #5490 -- Properly quote special characters in primary keys in the admin. Added tests to ensure functionality. This also moves quote and unquote to django/contrib/admin/util.py. Thanks jdetaeye and shanx for all your help.

Add/Change #5490 (newforms-admin: Admin pages insufficiently escape special characters in primary keys links)




Change Properties
Action