Ticket #615: admin.patch

File admin.patch, 5.0 KB (added by sune.kirkeby@…, 10 years ago)
  • django/views/admin/main.py

     
    55from django.core.extensions import DjangoContext as Context
    66from django.core.extensions import get_object_or_404, render_to_response
    77from django.models.auth import log
    8 from django.utils.html import strip_tags
     8from django.utils.html import escape
    99from django.utils.httpwrappers import HttpResponse, HttpResponseRedirect
    1010from django.utils.text import capfirst, get_text_list
    1111from django.conf.settings import ADMIN_MEDIA_PREFIX
     
    383383                    # For non-field list_display values, the value is a method
    384384                    # name. Execute the method.
    385385                    try:
    386                         result_repr = strip_tags(str(getattr(result, field_name)()))
     386                        result_repr = escape(str(getattr(result, field_name)()))
    387387                    except ObjectDoesNotExist:
    388388                        result_repr = EMPTY_CHANGELIST_VALUE
    389389                else:
     
    392392                    # related object.
    393393                    if isinstance(f.rel, meta.ManyToOne):
    394394                        if field_val is not None:
    395                             result_repr = getattr(result, 'get_%s' % f.name)()
     395                            result_repr = escape(getattr(result, 'get_%s' % f.name)())
    396396                        else:
    397397                            result_repr = EMPTY_CHANGELIST_VALUE
    398398                    # Dates are special: They're formatted in a certain way.
     
    422422                    # Fields with choices are special: Use the representation
    423423                    # of the choice.
    424424                    elif f.choices:
    425                         result_repr = dict(f.choices).get(field_val, EMPTY_CHANGELIST_VALUE)
     425                        result_repr = escape(dict(f.choices).get(field_val, EMPTY_CHANGELIST_VALUE))
    426426                    else:
    427                         result_repr = strip_tags(str(field_val))
     427                        result_repr = escape(str(field_val))
    428428                # Some browsers don't like empty "<td></td>"s.
    429429                if result_repr == '':
    430430                    result_repr = '&nbsp;'
     
    10241024                if rel_field.rel.edit_inline or not rel_opts.admin:
    10251025                    # Don't display link to edit, because it either has no
    10261026                    # admin or is edited inline.
    1027                     nh(deleted_objects, current_depth, ['%s: %s' % (capfirst(rel_opts.verbose_name), strip_tags(repr(sub_obj))), []])
     1027                    nh(deleted_objects, current_depth, ['%s: %s' % (capfirst(rel_opts.verbose_name), escape(repr(sub_obj))), []])
    10281028                else:
    10291029                    # Display a link to the admin page.
    10301030                    nh(deleted_objects, current_depth, ['%s: <a href="../../../../%s/%s/%s/">%s</a>' % \
    1031                         (capfirst(rel_opts.verbose_name), rel_opts.app_label, rel_opts.module_name, sub_obj.id, strip_tags(repr(sub_obj))), []])
     1031                        (capfirst(rel_opts.verbose_name), rel_opts.app_label, rel_opts.module_name, sub_obj.id, escape(repr(sub_obj))), []])
    10321032                _get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, rel_opts, current_depth+2)
    10331033            # If there were related objects, and the user doesn't have
    10341034            # permission to delete them, add the missing perm to perms_needed.
     
    10481048                # Don't display link to edit, because it either has no
    10491049                # admin or is edited inline.
    10501050                nh(deleted_objects, current_depth, ['One or more %s in %s: %s' % \
    1051                     (rel_field.name, rel_opts.verbose_name, strip_tags(repr(sub_obj))), []])
     1051                    (rel_field.name, rel_opts.verbose_name, escape(repr(sub_obj))), []])
    10521052            else:
    10531053                # Display a link to the admin page.
    10541054                nh(deleted_objects, current_depth, ['One or more %s in %s: <a href="../../../../%s/%s/%s/">%s</a>' % \
    1055                     (rel_field.name, rel_opts.verbose_name, rel_opts.app_label, rel_opts.module_name, sub_obj.id, strip_tags(repr(sub_obj))), []])
     1055                    (rel_field.name, rel_opts.verbose_name, rel_opts.app_label, rel_opts.module_name, sub_obj.id, escape(repr(sub_obj))), []])
    10561056        # If there were related objects, and the user doesn't have
    10571057        # permission to change them, add the missing perm to perms_needed.
    10581058        if rel_opts.admin and has_related_objs:
     
    10691069
    10701070    # Populate deleted_objects, a data structure of all related objects that
    10711071    # will also be deleted.
    1072     deleted_objects = ['%s: <a href="../../%s/">%s</a>' % (capfirst(opts.verbose_name), object_id, strip_tags(repr(obj))), []]
     1072    deleted_objects = ['%s: <a href="../../%s/">%s</a>' % (capfirst(opts.verbose_name), object_id, escape(repr(obj))), []]
    10731073    perms_needed = sets.Set()
    10741074    _get_deleted_objects(deleted_objects, perms_needed, request.user, obj, opts, 1)
    10751075
Back to Top