id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
2148	[patch] ForeignKey fields not escaped correctly in django admin	rushman@…	Adrian Holovaty	"Steps to reproduce:
{{{
1. two models m1 and m2
2. m2 has foreign key to m1 and this key in list_display set
3. m1 __str__ returns '<script>alert(1)</script>'

when you will open list of m2 objects in django admin - you should get some alerts.

}}}

Since this is security hole i'm setting severity to 'major'."	defect	closed	contrib.admin	dev	major	fixed		Sergey Kirillov <rushman@…>	Unreviewed	1	0	0	0	0	0