Code

Ticket #11583: 11583-escaping.diff

File 11583-escaping.diff, 1.5 KB (added by rlaager@…, 5 years ago)
Line 
1Index: templatetags/admin_list.py
2===================================================================
3--- templatetags/admin_list.py  (revision 10834)
4+++ templatetags/admin_list.py  (working copy)
5@@ -22,7 +22,7 @@
6     elif i == cl.page_num:
7         return mark_safe(u'<span class="this-page">%d</span> ' % (i+1))
8     else:
9-        return mark_safe(u'<a href="%s"%s>%d</a> ' % (cl.get_query_string({PAGE_VAR: i}), (i == cl.paginator.num_pages-1 and ' class="end"' or ''), i+1))
10+        return mark_safe(u'<a href="%s"%s>%d</a> ' % (escape(cl.get_query_string({PAGE_VAR: i})), (i == cl.paginator.num_pages-1 and ' class="end"' or ''), i+1))
11 paginator_number = register.simple_tag(paginator_number)
12 
13 def pagination(cl):
14Index: widgets.py
15===================================================================
16--- widgets.py  (revision 10834)
17+++ widgets.py  (working copy)
18@@ -9,6 +9,7 @@
19 from django.forms.util import flatatt
20 from django.utils.text import truncate_words
21 from django.utils.translation import ugettext as _
22+from django.utils.html import escape
23 from django.utils.safestring import mark_safe
24 from django.utils.encoding import force_unicode
25 from django.conf import settings
26@@ -148,7 +149,7 @@
27     def label_for_value(self, value):
28         key = self.rel.get_related_field().name
29         obj = self.rel.to._default_manager.get(**{key: value})
30-        return '&nbsp;<strong>%s</strong>' % truncate_words(obj, 14)
31+        return '&nbsp;<strong>%s</strong>' % escape(truncate_words(obj, 14))
32 
33 class ManyToManyRawIdWidget(ForeignKeyRawIdWidget):
34     """
35