id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 11502 Wrong escaping in admin Tomasz Elendt nobody "There are some places (I found two of them) in Django's admin where querystrings used in templates are marked as safe, which prevents them from auto-escaping. In effect there's unescaped ampersand, when there's more than one variable in querystring. It's hard for me to instruct how to reproduce this bug - IMHO the easiest way is to set your `DEFAULT_CONTENT_TYPE` to `'application/xhtml+xml'` and click through the change list page of the admin (date_hierarchy menu, paginator). There are also some formatting issues (e.g. some very long lines) in `admin_list.py`." closed contrib.admin dev fixed tomasz.elendt@… rlaager@… Accepted 1 0 0 0 0 0