#25135 closed Cleanup/optimization (fixed)
Deprecate admin list_display allow_tags
| Reported by: | Jaap Roes | Owned by: | Ola Sitarska |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I've noticed that setting allow_tags on a list_display function is not necessary if it already returns a safe string (by using mark_safe or format_html).
The docs on allow_tags mention:
If the string given is a method of the model, ModelAdmin or a callable, Django will HTML-escape the output by default. If you’d rather not escape the output of the method, give the method an
allow_tagsattribute whose value isTrue. However, to avoid an XSS vulnerability, you should useformat_html()to escape user-provided inputs.
To push people to actually do that, deprecating allow_tags and pointing to format_html/mark_safe could be a good thing.
Change History (10)
comment:1 by , 9 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 9 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
Created a pull request with my initial attempt. Django tests all pass, but it might just be that allow_tags is not tested that well.
Having a hard time figuring out where to add tests though...
comment:3 by , 9 years ago
| Has patch: | set |
|---|---|
| Owner: | changed from to |
Looking at the code, I think it could be a bit tricky, but the idea sounds good.