Wrong escaping in admin
| Reported by: |
Tomasz Elendt <tomasz.elendt@…> |
Owned by: |
nobody |
|
Component:
|
contrib.admin
|
Version:
|
dev
|
|
Severity:
|
|
Keywords:
|
|
|
Cc:
|
tomasz.elendt@…, rlaager@…
|
Triage Stage:
|
Accepted
|
|
Has patch:
|
yes
|
Needs documentation:
|
no
|
|
Needs tests:
|
no
|
Patch needs improvement:
|
no
|
|
Easy pickings:
|
no
|
UI/UX:
|
no
|
There are some places (I found two of them) in Django's admin where querystrings used in templates are marked as safe, which prevents them from auto-escaping. In effect there's unescaped ampersand, when there's more than one variable in querystring. It's hard for me to instruct how to reproduce this bug - IMHO the easiest way is to set your DEFAULT_CONTENT_TYPE to 'application/xhtml+xml' and click through the change list page of the admin (date_hierarchy menu, paginator).
There are also some formatting issues (e.g. some very long lines) in admin_list.py.
Change History
(7)
| Triage Stage: |
Unreviewed → Accepted
|
| Resolution: |
→ fixed
|
| Status: |
new → closed
|
Pulled changes from #11583