Opened 19 years ago
Closed 19 years ago
#1094 closed defect (invalid)
missing html escaping in django admin
Reported by: | Armin Ronacher | Owned by: | Adrian Holovaty |
---|---|---|---|
Component: | contrib.admin | Version: | 0.90 |
Severity: | critical | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
If you define a CharField in a model and the django admin displays this in the model overview html isn't escaped.
Ergo this works:
<script>alert("blub");</script>
Change History (2)
comment:1 by , 19 years ago
comment:2 by , 19 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
argh. i'm sorry. my fault. escaping works but not as i expected. <hello> world
results world
.
Note:
See TracTickets
for help on using tickets.
Hi Armin -- In which context does this happen? On the change-list pages? I know we do escape this in most places...