id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
25135	Deprecate admin list_display allow_tags	Jaap Roes	Ola Sitarska	"I've noticed that setting `allow_tags` on a `list_display` function is not necessary if it already returns a safe string (by using `mark_safe` or `format_html`).

The docs on `allow_tags` mention:

 If the string given is a method of the model, ModelAdmin or a callable, Django will HTML-escape the output by default. If you’d rather not escape the output of the method, give the method an `allow_tags` attribute whose value is `True`. However, to avoid an XSS vulnerability, you should use `format_html()` to escape user-provided inputs.

To push people to actually do that, deprecating `allow_tags` and pointing to `format_html`/`mark_safe` could be a good thing."	Cleanup/optimization	closed	contrib.admin	dev	Normal	fixed			Ready for checkin	1	0	0	0	0	0