Ticket #11502: django_escaping.diff

File django_escaping.diff, 1.6 KB (added by Tomasz Elendt <tomasz.elendt@…>, 6 years ago)

Updated patch

  • django/contrib/admin/templatetags/admin_list.py

     
    265265        day_lookup = cl.params.get(day_field)
    266266        year_month_format, month_day_format = get_partial_date_formats()
    267267
    268         link = lambda d: mark_safe(cl.get_query_string(d, [field_generic]))
     268        link = lambda d: cl.get_query_string(d, [field_generic])
    269269
    270270        if year_lookup and month_lookup and day_lookup:
    271271            day = datetime.date(int(year_lookup), int(month_lookup), int(day_lookup))
  • django/contrib/admin/widgets.py

     
    77from django import forms
    88from django.forms.widgets import RadioFieldRenderer
    99from django.forms.util import flatatt
     10from django.utils.html import escape
    1011from django.utils.text import truncate_words
    1112from django.utils.translation import ugettext as _
    1213from django.utils.safestring import mark_safe
     
    148149    def label_for_value(self, value):
    149150        key = self.rel.get_related_field().name
    150151        obj = self.rel.to._default_manager.get(**{key: value})
    151         return '&nbsp;<strong>%s</strong>' % truncate_words(obj, 14)
     152        return '&nbsp;<strong>%s</strong>' % escape(truncate_words(obj, 14))
    152153
    153154class ManyToManyRawIdWidget(ForeignKeyRawIdWidget):
    154155    """
Back to Top