Opened 20 years ago
Closed 20 years ago
#1094 closed defect (invalid)
missing html escaping in django admin
| Reported by: | Armin Ronacher | Owned by: | Adrian Holovaty |
|---|---|---|---|
| Component: | contrib.admin | Version: | 0.90 |
| Severity: | critical | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If you define a CharField in a model and the django admin displays this in the model overview html isn't escaped.
Ergo this works:
<script>alert("blub");</script>
Change History (2)
comment:1 by , 20 years ago
comment:2 by , 20 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
argh. i'm sorry. my fault. escaping works but not as i expected. <hello> world results world.
Note:
See TracTickets
for help on using tickets.
Hi Armin -- In which context does this happen? On the change-list pages? I know we do escape this in most places...