Admin pages insufficiently escape special characters in primary keys links
|Reported by:||jdetaeye@…||Owned by:||nobody|
|Severity:||Keywords:||url encode string|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
To access the individual objects, the admin pages build urls which include the primary key.
My application has models with a string as primary key.
It turns out that the admin pages don't escape special characters in the primary keys very well.
RFC 2396 (see http://www.ietf.org/rfc/rfc2396.txt) lists the following special characters (not including the characters categorized as "unwise"):
: / # ? ; @ & = + $ , " < > %
Django escapes only two of those:
Because of the limited escaping one can argue that strings as primary keys are not usuable in Django for a real-life application :-(
The attached patch provides a more complete escape routine.
Change History (8)
comment:1 Changed 9 years ago by Simon G. <dev@…>
- Has patch set
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Ready for checkin