Opened 17 years ago
Closed 17 years ago
#5041 closed (wontfix)
Admin pages insufficiently escape special characters in primary keys links
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | contrib.admin | Version: | dev |
Severity: | Keywords: | url encode string | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
To access the individual objects, the admin pages build urls which include the primary key.
My application has models with a string as primary key.
It turns out that the admin pages don't escape special characters in the primary keys very well.
RFC 2396 (see http://www.ietf.org/rfc/rfc2396.txt) lists the following special characters (not including the characters categorized as "unwise"):
: / # ? ; @ & = + $ , " < > %
Django escapes only two of those:
: /
Because of the limited escaping one can argue that strings as primary keys are not usuable in Django for a real-life application :-(
The attached patch provides a more complete escape routine.
The javascript code used in popup windows also doesn't escape the special characters very well. (but I haven't looked into that yet)
Attachments (3)
Change History (8)
by , 17 years ago
Attachment: | quoteurl.patch added |
---|
comment:1 by , 17 years ago
Has patch: | set |
---|---|
Triage Stage: | Unreviewed → Ready for checkin |
comment:3 by , 17 years ago
I noticed that also the deletion of entities with special characters is failing. The links show on the admin page to confirm the deletion are not using the quote function.
I'm uploading a new version of the patch.
comment:4 by , 17 years ago
Triage Stage: | Ready for checkin → Accepted |
---|
Found yet another place where the escaping is insufficient: the log entries on the main admin page.
Because of my recent updates, I am also setting the triage stage back from 'ready for checkin' to 'accepted'...
More complete url escape function