Ticket #11583: 11583-escaping.diff

File 11583-escaping.diff, 1.5 KB (added by rlaager@…, 6 years ago)
  • templatetags/admin_list.py

     
    2222    elif i == cl.page_num:
    2323        return mark_safe(u'<span class="this-page">%d</span> ' % (i+1))
    2424    else:
    25         return mark_safe(u'<a href="%s"%s>%d</a> ' % (cl.get_query_string({PAGE_VAR: i}), (i == cl.paginator.num_pages-1 and ' class="end"' or ''), i+1))
     25        return mark_safe(u'<a href="%s"%s>%d</a> ' % (escape(cl.get_query_string({PAGE_VAR: i})), (i == cl.paginator.num_pages-1 and ' class="end"' or ''), i+1))
    2626paginator_number = register.simple_tag(paginator_number)
    2727
    2828def pagination(cl):
  • widgets.py

     
    99from django.forms.util import flatatt
    1010from django.utils.text import truncate_words
    1111from django.utils.translation import ugettext as _
     12from django.utils.html import escape
    1213from django.utils.safestring import mark_safe
    1314from django.utils.encoding import force_unicode
    1415from django.conf import settings
     
    148149    def label_for_value(self, value):
    149150        key = self.rel.get_related_field().name
    150151        obj = self.rel.to._default_manager.get(**{key: value})
    151         return '&nbsp;<strong>%s</strong>' % truncate_words(obj, 14)
     152        return '&nbsp;<strong>%s</strong>' % escape(truncate_words(obj, 14))
    152153
    153154class ManyToManyRawIdWidget(ForeignKeyRawIdWidget):
    154155    """
Back to Top