Opened 10 years ago

Closed 10 years ago

#2290 closed defect (fixed)

HTML not escaped in Admin messages

Reported by: anonymous Owned by: adrian
Component: contrib.admin Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


Messages in the Admin interface (e.g. "The --- was changed successfully") are not HTML escaped. Line 33 of contrib\admin\templates\admin\base.html should be as follows:

<ul class="messagelist">{% for message in messages %}<li>{{ message|escape }}</li>{% endfor %}</ul>

Sean :)

Change History (3)

comment:1 Changed 10 years ago by ubernostrum

  • priority changed from high to normal
  • Severity changed from major to normal

Looks like this is a superset of #2056, which didn't entirely fix the problem.

comment:2 Changed 10 years ago by SmileyChris

Sigh... the ongoing saga of unescaped messages...

comment:3 Changed 10 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [3282]) Fixed #2290 -- Escaped HTML in admin messages. Thanks, Sean

Note: See TracTickets for help on using tickets.
Back to Top