Code

Opened 8 years ago

Closed 8 years ago

#1094 closed defect (invalid)

missing html escaping in django admin

Reported by: Armin Ronacher Owned by: adrian
Component: contrib.admin Version: 0.90
Severity: critical Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

If you define a CharField in a model and the django admin displays this in the model overview html isn't escaped.

Ergo this works:

<script>alert("blub");</script>

Attachments (0)

Change History (2)

comment:1 Changed 8 years ago by adrian

Hi Armin -- In which context does this happen? On the change-list pages? I know we do escape this in most places...

comment:2 Changed 8 years ago by Armin Ronacher

  • Resolution set to invalid
  • Status changed from new to closed

argh. i'm sorry. my fault. escaping works but not as i expected. <hello> world results world.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.