Opened 10 years ago

Closed 10 years ago

#2346 closed defect (fixed)

[patch] admin's base.html template needs to escape {{ title }}

Reported by: Gary Wilson <gary.wilson@…> Owned by: Adrian Holovaty
Component: contrib.admin Version:
Severity: major Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


The admin's views.main.history view sets the "title" template tag to the string representation of the object, which can contain html.

Attachments (1)

base.html.diff (733 bytes) - added by Gary Wilson <gary.wilson@…> 10 years ago.

Download all attachments as: .zip

Change History (4)

Changed 10 years ago by Gary Wilson <gary.wilson@…>

Attachment: base.html.diff added

comment:1 Changed 10 years ago by James Bennett

One of these days someone will just do a global search and replace in the admin, turning }} into |escape }}.

comment:2 Changed 10 years ago by Chris Beaven

Won't it be good when we have autoescaping templates ;)

comment:3 Changed 10 years ago by Malcolm Tredinnick

Resolution: fixed
Status: newclosed

(In [3342]) Fixed #2346 -- Escaped string output in titles in admin interface. Thanks Gary

Note: See TracTickets for help on using tickets.
Back to Top