Code

Opened 8 years ago

Closed 8 years ago

#2505 closed defect (wontfix)

[patch] links in admin_doc for models won't work

Reported by: dummy@… Owned by: adrian
Component: contrib.admin Version: master
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

With Changeset 3350 http://code.djangoproject.com/changeset/3350 the verbose field was escaped to be save.
Since the verbose fields are computed by admin_doc himself it should be safe enough, or not ?

The verbose field for models contains <p> and <a> tags with nice cross reference links.

Maybe its worth enough to let those tags alife again ?

Attachments (1)

admin_doc_model_detail.diff (686 bytes) - added by dummy@… 8 years ago.
enable the verbose field of models in admin_doc

Download all attachments as: .zip

Change History (2)

Changed 8 years ago by dummy@…

enable the verbose field of models in admin_doc

comment:1 Changed 8 years ago by mtredinnick

  • Resolution set to wontfix
  • Status changed from new to closed

It was decided not to allow verbose names to contain HTML markup. Because they have to be displayed in multiple situations (not just HTML), it becomes too difficult to know when special caharacters have to be escaped or not (always escaping means that you can't put things like "&" in there and also have it work in non-HTML situations).

The fact that admin_doc is going the presentation means nothing here: all it is doing is extracting the value the user entered. So if somebody provides an app with malicious code in a single field's verbose name, it's bad.

There is an argument to be made for making help text be non-escaped, although the above arguments still apply. But verbose names should be escaped.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.