Code

Opened 5 years ago

Closed 5 years ago

#11502 closed (fixed)

Wrong escaping in admin

Reported by: Tomasz Elendt <tomasz.elendt@…> Owned by: nobody
Component: contrib.admin Version: master
Severity: Keywords:
Cc: tomasz.elendt@…, rlaager@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

There are some places (I found two of them) in Django's admin where querystrings used in templates are marked as safe, which prevents them from auto-escaping. In effect there's unescaped ampersand, when there's more than one variable in querystring. It's hard for me to instruct how to reproduce this bug - IMHO the easiest way is to set your DEFAULT_CONTENT_TYPE to 'application/xhtml+xml' and click through the change list page of the admin (date_hierarchy menu, paginator).

There are also some formatting issues (e.g. some very long lines) in admin_list.py.

Attachments (3)

admin_querysting_escaping.diff (1.2 KB) - added by anonymous 5 years ago.
admin_escaping.diff (2.1 KB) - added by Tomasz Elendt <tomasz.elendt@…> 5 years ago.
Pulled changes from #11583
django_escaping.diff (1.6 KB) - added by Tomasz Elendt <tomasz.elendt@…> 5 years ago.
Updated patch

Download all attachments as: .zip

Change History (7)

Changed 5 years ago by anonymous

Changed 5 years ago by Tomasz Elendt <tomasz.elendt@…>

Pulled changes from #11583

comment:1 Changed 5 years ago by anonymous

  • Cc rlaager@… added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 5 years ago by Alex

  • Triage Stage changed from Unreviewed to Accepted

comment:3 Changed 5 years ago by Tomasz Elendt <tomasz.elendt@…>

One of the fixes in this patch has been pushed into trunk in r11486 (Ticket #11252). Attached patch need to be changed so that could be aplied on trunk in current state.

Changed 5 years ago by Tomasz Elendt <tomasz.elendt@…>

Updated patch

comment:4 Changed 5 years ago by lukeplant

  • Resolution set to fixed
  • Status changed from new to closed

(In [11497]) Fixed #11502 - wrong escaping in admin.

Thanks Tomasz Elendt.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.