Wrong escaping in admin
|Reported by:||Owned by:||nobody|
|Cc:||tomasz.elendt@…, rlaager@…||Triage Stage:||Accepted|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
There are some places (I found two of them) in Django's admin where querystrings used in templates are marked as safe, which prevents them from auto-escaping. In effect there's unescaped ampersand, when there's more than one variable in querystring. It's hard for me to instruct how to reproduce this bug - IMHO the easiest way is to set your
'application/xhtml+xml' and click through the change list page of the admin (date_hierarchy menu, paginator).
There are also some formatting issues (e.g. some very long lines) in