Index: django/contrib/admin/models.py
===================================================================
--- django/contrib/admin/models.py (revision 6209)
+++ django/contrib/admin/models.py (working copy)
@@ -49,4 +49,5 @@
Returns the admin URL to edit the object represented by this log entry.
This is relative to the Django admin index page.
"""
- return u"%s/%s/%s/" % (self.content_type.app_label, self.content_type.model, self.object_id)
+ from django.contrib.admin.views.main import quote
+ return u"%s/%s/%s/" % (self.content_type.app_label, self.content_type.model, quote(self.object_id))
Index: django/contrib/admin/options.py
===================================================================
--- django/contrib/admin/options.py (revision 6209)
+++ django/contrib/admin/options.py (working copy)
@@ -190,7 +190,7 @@
def fieldsets_add(self, request):
"Hook for specifying fieldsets for the add form."
raise NotImplementedError
-
+
def fieldsets_change(self, request, obj):
"Hook for specifying fieldsets for the change form."
raise NotImplementedError
@@ -198,7 +198,7 @@
class ModelAdmin(BaseModelAdmin):
"Encapsulates all admin options and functionality for a given model."
__metaclass__ = forms.MediaDefiningClass
-
+
list_display = ('__str__',)
list_display_links = ()
list_filter = ()
@@ -256,10 +256,10 @@
js.extend(['js/getElementsBySelector.js', 'js/dom-drag.js' , 'js/admin/ordering.js'])
if self.filter_vertical or self.filter_horizontal:
js.extend(['js/SelectBox.js' , 'js/SelectFilter2.js'])
-
+
return forms.Media(js=['%s%s' % (settings.ADMIN_MEDIA_PREFIX, url) for url in js])
media = property(_media)
-
+
def has_add_permission(self, request):
"Returns True if the given request has permission to add an object."
opts = self.opts
@@ -394,7 +394,7 @@
Saves the object in the "change" stage and returns an HttpResponseRedirect.
`form` is a bound Form instance that's verified to be valid.
-
+
`formsets` is a sequence of InlineFormSet instances that are verified to be valid.
"""
from django.contrib.admin.models import LogEntry, CHANGE
@@ -545,7 +545,7 @@
#related.get_accessor_name())
#orig_list = func()
#oldform.order_objects.extend(orig_list)
-
+
adminForm = AdminForm(form, self.fieldsets_change(request, obj), self.prepopulated_fields)
media = self.media + adminForm.media
for fs in inline_formsets:
@@ -601,6 +601,7 @@
"The 'delete' admin view for this model."
from django.contrib.contenttypes.models import ContentType
from django.contrib.admin.models import LogEntry, DELETION
+ from django.contrib.admin.views.main import quote
opts = self.model._meta
app_label = opts.app_label
@@ -620,7 +621,7 @@
# Populate deleted_objects, a data structure of all related objects that
# will also be deleted.
- deleted_objects = [u'%s: %s' % (force_unicode(capfirst(opts.verbose_name)), object_id, escape(str(obj))), []]
+ deleted_objects = [u'%s: %s' % (force_unicode(capfirst(opts.verbose_name)), quote(object_id), escape(str(obj))), []]
perms_needed = sets.Set()
get_deleted_objects(deleted_objects, perms_needed, request.user, obj, opts, 1)
Index: django/contrib/admin/util.py
===================================================================
--- django/contrib/admin/util.py (revision 6209)
+++ django/contrib/admin/util.py (working copy)
@@ -12,6 +12,7 @@
def get_deleted_objects(deleted_objects, perms_needed, user, obj, opts, current_depth):
"Helper function that recursively populates deleted_objects."
+ from django.contrib.admin.views.main import quote
nh = _nest_help # Bind to local variable for performance
if current_depth > 16:
return # Avoid recursing too deep.
@@ -36,12 +37,12 @@
if related.field.rel.edit_inline or not related.opts.admin:
# Don't display link to edit, because it either has no
# admin or is edited inline.
- nh(deleted_objects, current_depth, [u'%s: %s' % (force_unicode(capfirst(related.opts.verbose_name)), sub_obj), []])
+ nh(deleted_objects, current_depth, [u'%s: %s' % (force_unicode(capfirst(related.opts.verbose_name)), escape(sub_obj)), []])
else:
# Display a link to the admin page.
nh(deleted_objects, current_depth, [u'%s: %s' % \
(force_unicode(capfirst(related.opts.verbose_name)), related.opts.app_label, related.opts.object_name.lower(),
- sub_obj._get_pk_val(), sub_obj), []])
+ quote(sub_obj._get_pk_val()), escape(sub_obj)), []])
get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2)
else:
has_related_objs = False
@@ -54,7 +55,7 @@
else:
# Display a link to the admin page.
nh(deleted_objects, current_depth, [u'%s: %s' % \
- (force_unicode(capfirst(related.opts.verbose_name)), related.opts.app_label, related.opts.object_name.lower(), sub_obj._get_pk_val(), escape(sub_obj)), []])
+ (force_unicode(capfirst(related.opts.verbose_name)), related.opts.app_label, related.opts.object_name.lower(), quote(sub_obj._get_pk_val()), escape(sub_obj)), []])
get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2)
# If there were related objects, and the user doesn't have
# permission to delete them, add the missing perm to perms_needed.
@@ -87,7 +88,7 @@
nh(deleted_objects, current_depth, [
(_('One or more %(fieldname)s in %(name)s:') % {'fieldname': force_unicode(related.field.verbose_name), 'name': force_unicode(related.opts.verbose_name)}) + \
(u' %s' % \
- (related.opts.app_label, related.opts.module_name, sub_obj._get_pk_val(), escape(sub_obj))), []])
+ (related.opts.app_label, related.opts.module_name, quote(sub_obj._get_pk_val()), escape(sub_obj))), []])
# If there were related objects, and the user doesn't have
# permission to change them, add the missing perm to perms_needed.
if related.opts.admin and has_related_objs:
Index: django/contrib/admin/views/main.py
===================================================================
--- django/contrib/admin/views/main.py (revision 6209)
+++ django/contrib/admin/views/main.py (working copy)
@@ -43,12 +43,11 @@
quoting is slightly different so that it doesn't get automatically
unquoted by the Web browser.
"""
- if type(s) != type(''):
- return s
+ if not isinstance(s,basestring): return s
res = list(s)
for i in range(len(res)):
c = res[i]
- if c in ':/_':
+ if c in ':/_#?;@&=+$,"<>%':
res[i] = '_%02X' % ord(c)
return ''.join(res)