Opened 10 years ago

Closed 10 years ago

#2290 closed defect (fixed)

HTML not escaped in Admin messages

Reported by: anonymous Owned by: Adrian Holovaty
Component: contrib.admin Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Messages in the Admin interface (e.g. "The --- was changed successfully") are not HTML escaped. Line 33 of contrib\admin\templates\admin\base.html should be as follows:

<ul class="messagelist">{% for message in messages %}<li>{{ message|escape }}</li>{% endfor %}</ul>

Sean :)

Change History (3)

comment:1 Changed 10 years ago by James Bennett

priority: highnormal
Severity: majornormal

Looks like this is a superset of #2056, which didn't entirely fix the problem.

comment:2 Changed 10 years ago by Chris Beaven

Sigh... the ongoing saga of unescaped messages...

comment:3 Changed 10 years ago by Adrian Holovaty

Resolution: fixed
Status: newclosed

(In [3282]) Fixed #2290 -- Escaped HTML in admin messages. Thanks, Sean

Note: See TracTickets for help on using tickets.
Back to Top