Code

Ticket #615: admin.patch

File admin.patch, 5.0 KB (added by sune.kirkeby@…, 9 years ago)
  • django/views/admin/main.py

     
    55from django.core.extensions import DjangoContext as Context 
    66from django.core.extensions import get_object_or_404, render_to_response 
    77from django.models.auth import log 
    8 from django.utils.html import strip_tags 
     8from django.utils.html import escape 
    99from django.utils.httpwrappers import HttpResponse, HttpResponseRedirect 
    1010from django.utils.text import capfirst, get_text_list 
    1111from django.conf.settings import ADMIN_MEDIA_PREFIX 
     
    383383                    # For non-field list_display values, the value is a method 
    384384                    # name. Execute the method. 
    385385                    try: 
    386                         result_repr = strip_tags(str(getattr(result, field_name)())) 
     386                        result_repr = escape(str(getattr(result, field_name)())) 
    387387                    except ObjectDoesNotExist: 
    388388                        result_repr = EMPTY_CHANGELIST_VALUE 
    389389                else: 
     
    392392                    # related object. 
    393393                    if isinstance(f.rel, meta.ManyToOne): 
    394394                        if field_val is not None: 
    395                             result_repr = getattr(result, 'get_%s' % f.name)() 
     395                            result_repr = escape(getattr(result, 'get_%s' % f.name)()) 
    396396                        else: 
    397397                            result_repr = EMPTY_CHANGELIST_VALUE 
    398398                    # Dates are special: They're formatted in a certain way. 
     
    422422                    # Fields with choices are special: Use the representation 
    423423                    # of the choice. 
    424424                    elif f.choices: 
    425                         result_repr = dict(f.choices).get(field_val, EMPTY_CHANGELIST_VALUE) 
     425                        result_repr = escape(dict(f.choices).get(field_val, EMPTY_CHANGELIST_VALUE)) 
    426426                    else: 
    427                         result_repr = strip_tags(str(field_val)) 
     427                        result_repr = escape(str(field_val)) 
    428428                # Some browsers don't like empty "<td></td>"s. 
    429429                if result_repr == '': 
    430430                    result_repr = '&nbsp;' 
     
    10241024                if rel_field.rel.edit_inline or not rel_opts.admin: 
    10251025                    # Don't display link to edit, because it either has no 
    10261026                    # admin or is edited inline. 
    1027                     nh(deleted_objects, current_depth, ['%s: %s' % (capfirst(rel_opts.verbose_name), strip_tags(repr(sub_obj))), []]) 
     1027                    nh(deleted_objects, current_depth, ['%s: %s' % (capfirst(rel_opts.verbose_name), escape(repr(sub_obj))), []]) 
    10281028                else: 
    10291029                    # Display a link to the admin page. 
    10301030                    nh(deleted_objects, current_depth, ['%s: <a href="../../../../%s/%s/%s/">%s</a>' % \ 
    1031                         (capfirst(rel_opts.verbose_name), rel_opts.app_label, rel_opts.module_name, sub_obj.id, strip_tags(repr(sub_obj))), []]) 
     1031                        (capfirst(rel_opts.verbose_name), rel_opts.app_label, rel_opts.module_name, sub_obj.id, escape(repr(sub_obj))), []]) 
    10321032                _get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, rel_opts, current_depth+2) 
    10331033            # If there were related objects, and the user doesn't have 
    10341034            # permission to delete them, add the missing perm to perms_needed. 
     
    10481048                # Don't display link to edit, because it either has no 
    10491049                # admin or is edited inline. 
    10501050                nh(deleted_objects, current_depth, ['One or more %s in %s: %s' % \ 
    1051                     (rel_field.name, rel_opts.verbose_name, strip_tags(repr(sub_obj))), []]) 
     1051                    (rel_field.name, rel_opts.verbose_name, escape(repr(sub_obj))), []]) 
    10521052            else: 
    10531053                # Display a link to the admin page. 
    10541054                nh(deleted_objects, current_depth, ['One or more %s in %s: <a href="../../../../%s/%s/%s/">%s</a>' % \ 
    1055                     (rel_field.name, rel_opts.verbose_name, rel_opts.app_label, rel_opts.module_name, sub_obj.id, strip_tags(repr(sub_obj))), []]) 
     1055                    (rel_field.name, rel_opts.verbose_name, rel_opts.app_label, rel_opts.module_name, sub_obj.id, escape(repr(sub_obj))), []]) 
    10561056        # If there were related objects, and the user doesn't have 
    10571057        # permission to change them, add the missing perm to perms_needed. 
    10581058        if rel_opts.admin and has_related_objs: 
     
    10691069 
    10701070    # Populate deleted_objects, a data structure of all related objects that 
    10711071    # will also be deleted. 
    1072     deleted_objects = ['%s: <a href="../../%s/">%s</a>' % (capfirst(opts.verbose_name), object_id, strip_tags(repr(obj))), []] 
     1072    deleted_objects = ['%s: <a href="../../%s/">%s</a>' % (capfirst(opts.verbose_name), object_id, escape(repr(obj))), []] 
    10731073    perms_needed = sets.Set() 
    10741074    _get_deleted_objects(deleted_objects, perms_needed, request.user, obj, opts, 1) 
    10751075