Ticket #19577: 19577.diff

File 19577.diff, 2.8 KB (added by timo, 3 years ago)
  • docs/ref/contrib/admin/index.txt

    diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt
    index b273255..eac18b1 100644
    a b subclass:: 
    449449    * If the string given is a method of the model, ``ModelAdmin`` or a
    450450      callable, Django will HTML-escape the output by default. If you'd
    451451      rather not escape the output of the method, give the method an
    452       ``allow_tags`` attribute whose value is ``True``.
     452      ``allow_tags`` attribute whose value is ``True``. However, to avoid an
     453      XSS vulnerability, you should use :func:`~django.utils.html.format_html`
     454      to escape user-provided inputs.
    453455
    454456      Here's a full example model::
    455457
     458          from django.utils.html import format_html
     459
    456460          class Person(models.Model):
    457461              first_name = models.CharField(max_length=50)
    458462              last_name = models.CharField(max_length=50)
    459463              color_code = models.CharField(max_length=6)
    460464
    461465              def colored_name(self):
    462                   return '<span style="color: #%s;">%s %s</span>' % (self.color_code, self.first_name, self.last_name)
     466                  return format_html('<span style="color: #{0};">{1} {2}</span>',
     467                                     self.color_code,
     468                                     self.first_name,
     469                                     self.last_name)
     470
    463471              colored_name.allow_tags = True
    464472
    465473          class PersonAdmin(admin.ModelAdmin):
    subclass:: 
    500508
    501509      For example::
    502510
     511        from django.utils.html import format_html
     512
    503513        class Person(models.Model):
    504514            first_name = models.CharField(max_length=50)
    505515            color_code = models.CharField(max_length=6)
    506516
    507517            def colored_first_name(self):
    508                 return '<span style="color: #%s;">%s</span>' % (self.color_code, self.first_name)
     518                  return format_html('<span style="color: #{0};">{1}</span>',
     519                                     self.color_code,
     520                                     self.first_name)
     521
    509522            colored_first_name.allow_tags = True
    510523            colored_first_name.admin_order_field = 'first_name'
    511524
    subclass:: 
    817830    the admin interface to provide feedback on the status of the objects being
    818831    edited, for example::
    819832
     833        from django.utils.html import format_html
     834
    820835        class PersonAdmin(ModelAdmin):
    821836            readonly_fields = ('address_report',)
    822837
    823838            def address_report(self, instance):
    824                 return ", ".join(instance.get_full_address()) or \
     839                return format_html(", ".join(instance.get_full_address())) or \
    825840                   "<span class='errors'>I can't determine this address.</span>"
    826841
    827842            # short_description functions like a model field's verbose_name
Back to Top