#5490 closed (fixed)
newforms-admin: Admin pages insufficiently escape special characters in primary keys links
| Reported by: | jdetaeye | Owned by: | Brian Rosner |
|---|---|---|---|
| Component: | contrib.admin | Version: | newforms-admin |
| Severity: | Keywords: | nfa-blocker, ep2008 | |
| Cc: | jdetaeye@…, cmawebsite@… | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
This is the same issue as reported in #5041, but tested and patched in the newforms-admin.
To reproduce:
- create a model with a string as primary key
- create a record with name ": / # ? ; @ & = + $ , " < > %"
In the admin ui you can now find the following problems:
1) link from the 'change list' to the 'change form' doesn't work
2) the link displayed in the 'recent actions' doesn't work
3) the links displayed on the 'delete confirmation' page doesn't work
Attachments (3)
Change History (20)
by , 17 years ago
| Attachment: | ecaping_url.patch added |
|---|
comment:1 by , 17 years ago
| Triage Stage: | Unreviewed → Ready for checkin |
|---|
comment:2 by , 17 years ago
| Cc: | added |
|---|
comment:3 by , 17 years ago
| Owner: | changed from to |
|---|
Reassigning to Christian so he'll see it, since he's doing newforms-admin template stuff.
comment:4 by , 16 years ago
The patch is slightly out of date since the introduction of the auto-escaping...
comment:5 by , 16 years ago
| Keywords: | nfa-blocker added; newforms-admin removed |
|---|---|
| Patch needs improvement: | set |
| Triage Stage: | Ready for checkin → Accepted |
This should be included before the merge into trunk. Bumping down to Accepted since it needs a new patch against newforms-admin.
by , 16 years ago
| Attachment: | urlquote.diff added |
|---|
comment:6 by , 16 years ago
| milestone: | → 1.0 alpha |
|---|
comment:7 by , 16 years ago
| Keywords: | ep2008 added |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
I'm having another look at this ticket and the supplied patches
comment:10 by , 16 years ago
Updated patch to include unit tests and changed the locations of where the actual urlquote is being done.
by , 16 years ago
| Attachment: | urlquote_string_primarekey_with_tests.diff added |
|---|
Updated patch and added unit tests
comment:11 by , 16 years ago
I have tested latest patch with browsers. All test passed. It works fine with Opera 9.51, FF3 and Konqueror 3.5.9.
comment:12 by , 16 years ago
Yes I've done the same thing to be sure that the quoting has the same semantics in all browser, I've tested on Safari, FF3 (mac), FF (windows), IE6 & 7 and Camino. Works great. I'll ask Honza to triage this tomorrow and then it can be checked in.
comment:13 by , 16 years ago
| Needs tests: | unset |
|---|---|
| Patch needs improvement: | unset |
| Triage Stage: | Accepted → Ready for checkin |
marking this ready for checkin as part of the sprint, the attached tests pass and it has been tested on firefox, konqueror and IE
comment:14 by , 16 years ago
| Owner: | changed from to |
|---|---|
| Status: | assigned → new |
comment:15 by , 16 years ago
| Cc: | added |
|---|
comment:16 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
patch