Opened 18 years ago

Closed 18 years ago

#2505 closed defect (wontfix)

[patch] links in admin_doc for models won't work

Reported by: dummy@… Owned by: Adrian Holovaty
Component: contrib.admin Version: dev
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


With Changeset 3350 the verbose field was escaped to be save.
Since the verbose fields are computed by admin_doc himself it should be safe enough, or not ?

The verbose field for models contains <p> and <a> tags with nice cross reference links.

Maybe its worth enough to let those tags alife again ?

Attachments (1)

admin_doc_model_detail.diff (686 bytes ) - added by dummy@… 18 years ago.
enable the verbose field of models in admin_doc

Download all attachments as: .zip

Change History (2)

by dummy@…, 18 years ago

Attachment: admin_doc_model_detail.diff added

enable the verbose field of models in admin_doc

comment:1 by Malcolm Tredinnick, 18 years ago

Resolution: wontfix
Status: newclosed

It was decided not to allow verbose names to contain HTML markup. Because they have to be displayed in multiple situations (not just HTML), it becomes too difficult to know when special caharacters have to be escaped or not (always escaping means that you can't put things like "&" in there and also have it work in non-HTML situations).

The fact that admin_doc is going the presentation means nothing here: all it is doing is extracting the value the user entered. So if somebody provides an app with malicious code in a single field's verbose name, it's bad.

There is an argument to be made for making help text be non-escaped, although the above arguments still apply. But verbose names should be escaped.

Note: See TracTickets for help on using tickets.
Back to Top