Opened 2 years ago

Closed 2 years ago

#31427 closed New feature (needsinfo)

Better support for __html__ in django admin

Reported by: Olivier Dalang Owned by: Andy Robles
Component: contrib.admin Version: 3.0
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: yes

Description (last modified by Carlton Gibson)

Django supports custom html representation for objects using the html method (see #7261)

This is supposedly used when trying to display to object as html : if the object provides an html representation, this is used instead of an html-escaped version of str. This is implemented in django.utils.html.conditional_escape, used in turn by format_html (and similar).

This feature is really nice. It allows for instance to add colors or icons to the instances representation very consistently., which in some cases can really help in terms of UX (e.g. color for instance's state).

Unfortunately, this is is only very partially supported in Django admin, where most of the time, the str representation is used instead.

Currently, the only place where I could see the html used is in the confirmation message after changing an object ("The object “XYZ” was changed successfully.).

The html method is not used in :

  • the default representation of the changelist (when list_display is not set)
  • the breadcrumbs
  • the filters of the changelist
  • the select with autocomplete (despite select2 supporting html)
  • etc...

I suggest changing this wherever possible in Django admin. It shouldn't be too big of a change. It's probably mostly replacing str(obj) by conditional_escape(obj) wherever HTML is admissible.

Long live Django & Django admin :-)

Attachments (2)

example_html_djanngo.PNG (34.2 KB) - added by Olivier Dalang 2 years ago.
example 1
example_html_djanngo_2.PNG (36.2 KB) - added by Olivier Dalang 2 years ago.
example 2

Download all attachments as: .zip

Change History (5)

comment:1 Changed 2 years ago by Olivier Dalang

Type: UncategorizedNew feature

Changed 2 years ago by Olivier Dalang

Attachment: example_html_djanngo.PNG added

example 1

Changed 2 years ago by Olivier Dalang

Attachment: example_html_djanngo_2.PNG added

example 2

comment:2 Changed 2 years ago by Andy Robles

Owner: changed from nobody to Andy Robles
Status: newassigned

comment:3 Changed 2 years ago by Carlton Gibson

Description: modified (diff)
Resolution: needsinfo
Status: assignedclosed

Grrr.

Django supports custom html representation for objects using the html method

I don't think that's the intended use-case.

Rather:

This shouldn't be thought of as *replacement* for autoescaping, since that's not required, but as something that uses it for interoperability.

i.e. it was introduced so the DTL could understand that strings from other template engines were pre-escaped.

The __html__() method is hardly documented — it's mentioned only in passing for html_safe.

I'm not 100% adverse to the idea here—I can see the appeal— vs what? implementing str() to mark safe, or a proxy class doing the same for use in the admin...? Overriding the templates?, and so on... — but (A) security — do folks really emit safe HTML? — and then (B) it's a change in the intended use, so ... 😬

I'll initially say needsinfo rather than wontfix here.

  • What does it really involve? Documenting __html__() and promoting to a recommended approach.
  • A PoC concept PR: What do the changes look like? (In draft)
  • Then, is the any support for such a change on the DevelopersMailingList? (vs the alternatives)

I hope that makes sense.

Note: See TracTickets for help on using tickets.
Back to Top