Code

Ticket #19577: 19577.diff

File 19577.diff, 2.8 KB (added by timo, 18 months ago)
Line 
1diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt
2index b273255..eac18b1 100644
3--- a/docs/ref/contrib/admin/index.txt
4+++ b/docs/ref/contrib/admin/index.txt
5@@ -449,17 +449,25 @@ subclass::
6     * If the string given is a method of the model, ``ModelAdmin`` or a
7       callable, Django will HTML-escape the output by default. If you'd
8       rather not escape the output of the method, give the method an
9-      ``allow_tags`` attribute whose value is ``True``.
10+      ``allow_tags`` attribute whose value is ``True``. However, to avoid an
11+      XSS vulnerability, you should use :func:`~django.utils.html.format_html`
12+      to escape user-provided inputs.
13 
14       Here's a full example model::
15 
16+          from django.utils.html import format_html
17+
18           class Person(models.Model):
19               first_name = models.CharField(max_length=50)
20               last_name = models.CharField(max_length=50)
21               color_code = models.CharField(max_length=6)
22 
23               def colored_name(self):
24-                  return '<span style="color: #%s;">%s %s</span>' % (self.color_code, self.first_name, self.last_name)
25+                  return format_html('<span style="color: #{0};">{1} {2}</span>',
26+                                     self.color_code,
27+                                     self.first_name,
28+                                     self.last_name)
29+
30               colored_name.allow_tags = True
31 
32           class PersonAdmin(admin.ModelAdmin):
33@@ -500,12 +508,17 @@ subclass::
34 
35       For example::
36 
37+        from django.utils.html import format_html
38+
39         class Person(models.Model):
40             first_name = models.CharField(max_length=50)
41             color_code = models.CharField(max_length=6)
42 
43             def colored_first_name(self):
44-                return '<span style="color: #%s;">%s</span>' % (self.color_code, self.first_name)
45+                  return format_html('<span style="color: #{0};">{1}</span>',
46+                                     self.color_code,
47+                                     self.first_name)
48+
49             colored_first_name.allow_tags = True
50             colored_first_name.admin_order_field = 'first_name'
51 
52@@ -817,11 +830,13 @@ subclass::
53     the admin interface to provide feedback on the status of the objects being
54     edited, for example::
55 
56+        from django.utils.html import format_html
57+
58         class PersonAdmin(ModelAdmin):
59             readonly_fields = ('address_report',)
60 
61             def address_report(self, instance):
62-                return ", ".join(instance.get_full_address()) or \
63+                return format_html(", ".join(instance.get_full_address())) or \
64                    "<span class='errors'>I can't determine this address.</span>"
65 
66             # short_description functions like a model field's verbose_name