Code

Ticket #11502: admin_escaping.diff

File admin_escaping.diff, 2.1 KB (added by Tomasz Elendt <tomasz.elendt@…>, 5 years ago)

Pulled changes from #11583

Line 
1Index: django/contrib/admin/templatetags/admin_list.py
2===================================================================
3--- django/contrib/admin/templatetags/admin_list.py     (wersja 11368)
4+++ django/contrib/admin/templatetags/admin_list.py     (kopia robocza)
5@@ -22,7 +22,7 @@
6     elif i == cl.page_num:
7         return mark_safe(u'<span class="this-page">%d</span> ' % (i+1))
8     else:
9-        return mark_safe(u'<a href="%s"%s>%d</a> ' % (cl.get_query_string({PAGE_VAR: i}), (i == cl.paginator.num_pages-1 and ' class="end"' or ''), i+1))
10+        return mark_safe(u'<a href="%s"%s>%d</a> ' % (escape(cl.get_query_string({PAGE_VAR: i})), (i == cl.paginator.num_pages-1 and ' class="end"' or ''), i+1))
11 paginator_number = register.simple_tag(paginator_number)
12 
13 def pagination(cl):
14@@ -265,7 +265,7 @@
15         day_lookup = cl.params.get(day_field)
16         year_month_format, month_day_format = get_partial_date_formats()
17 
18-        link = lambda d: mark_safe(cl.get_query_string(d, [field_generic]))
19+        link = lambda d: cl.get_query_string(d, [field_generic])
20 
21         if year_lookup and month_lookup and day_lookup:
22             day = datetime.date(int(year_lookup), int(month_lookup), int(day_lookup))
23Index: django/contrib/admin/widgets.py
24===================================================================
25--- django/contrib/admin/widgets.py     (wersja 11368)
26+++ django/contrib/admin/widgets.py     (kopia robocza)
27@@ -7,6 +7,7 @@
28 from django import forms
29 from django.forms.widgets import RadioFieldRenderer
30 from django.forms.util import flatatt
31+from django.utils.html import escape
32 from django.utils.text import truncate_words
33 from django.utils.translation import ugettext as _
34 from django.utils.safestring import mark_safe
35@@ -148,7 +149,7 @@
36     def label_for_value(self, value):
37         key = self.rel.get_related_field().name
38         obj = self.rel.to._default_manager.get(**{key: value})
39-        return '&nbsp;<strong>%s</strong>' % truncate_words(obj, 14)
40+        return '&nbsp;<strong>%s</strong>' % escape(truncate_words(obj, 14))
41 
42 class ManyToManyRawIdWidget(ForeignKeyRawIdWidget):
43     """