Ticket #11583: 11583-escaping.diff
| File 11583-escaping.diff, 1.5 KB (added by , 15 years ago) |
|---|
-
templatetags/admin_list.py
22 22 elif i == cl.page_num: 23 23 return mark_safe(u'<span class="this-page">%d</span> ' % (i+1)) 24 24 else: 25 return mark_safe(u'<a href="%s"%s>%d</a> ' % ( cl.get_query_string({PAGE_VAR: i}), (i == cl.paginator.num_pages-1 and ' class="end"' or ''), i+1))25 return mark_safe(u'<a href="%s"%s>%d</a> ' % (escape(cl.get_query_string({PAGE_VAR: i})), (i == cl.paginator.num_pages-1 and ' class="end"' or ''), i+1)) 26 26 paginator_number = register.simple_tag(paginator_number) 27 27 28 28 def pagination(cl): -
widgets.py
9 9 from django.forms.util import flatatt 10 10 from django.utils.text import truncate_words 11 11 from django.utils.translation import ugettext as _ 12 from django.utils.html import escape 12 13 from django.utils.safestring import mark_safe 13 14 from django.utils.encoding import force_unicode 14 15 from django.conf import settings … … 148 149 def label_for_value(self, value): 149 150 key = self.rel.get_related_field().name 150 151 obj = self.rel.to._default_manager.get(**{key: value}) 151 return ' <strong>%s</strong>' % truncate_words(obj, 14)152 return ' <strong>%s</strong>' % escape(truncate_words(obj, 14)) 152 153 153 154 class ManyToManyRawIdWidget(ForeignKeyRawIdWidget): 154 155 """