#25135 closed Cleanup/optimization (fixed)
Deprecate admin list_display allow_tags
Reported by: | Jaap Roes | Owned by: | Ola Sitarska |
---|---|---|---|
Component: | contrib.admin | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I've noticed that setting allow_tags
on a list_display
function is not necessary if it already returns a safe string (by using mark_safe
or format_html
).
The docs on allow_tags
mention:
If the string given is a method of the model, ModelAdmin or a callable, Django will HTML-escape the output by default. If you’d rather not escape the output of the method, give the method an
allow_tags
attribute whose value isTrue
. However, to avoid an XSS vulnerability, you should useformat_html()
to escape user-provided inputs.
To push people to actually do that, deprecating allow_tags
and pointing to format_html
/mark_safe
could be a good thing.
Change History (10)
comment:1 by , 9 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 9 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
Created a pull request with my initial attempt. Django tests all pass, but it might just be that allow_tags
is not tested that well.
Having a hard time figuring out where to add tests though...
comment:3 by , 9 years ago
Has patch: | set |
---|---|
Owner: | changed from | to
Looking at the code, I think it could be a bit tricky, but the idea sounds good.