Wrong escaping in admin
|Reported by:||Tomasz Elendt <tomasz.elendt@…>||Owned by:||nobody|
|Cc:||tomasz.elendt@…, rlaager@…||Triage Stage:||Accepted|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
There are some places (I found two of them) in Django's admin where querystrings used in templates are marked as safe, which prevents them from auto-escaping. In effect there's unescaped ampersand, when there's more than one variable in querystring. It's hard for me to instruct how to reproduce this bug - IMHO the easiest way is to set your DEFAULT_CONTENT_TYPE to 'application/xhtml+xml' and click through the change list page of the admin (date_hierarchy menu, paginator).
There are also some formatting issues (e.g. some very long lines) in admin_list.py.
Change History (7)
Changed 5 years ago by anonymous
Changed 5 years ago by Tomasz Elendt <tomasz.elendt@…>
comment:1 Changed 5 years ago by anonymous
- Cc rlaager@… added
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset