Opened 8 years ago

Closed 8 years ago

#5041 closed (wontfix)

Admin pages insufficiently escape special characters in primary keys links

Reported by: jdetaeye@… Owned by: nobody
Component: contrib.admin Version: master
Severity: Keywords: url encode string
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

To access the individual objects, the admin pages build urls which include the primary key.
My application has models with a string as primary key.
It turns out that the admin pages don't escape special characters in the primary keys very well.

RFC 2396 (see http://www.ietf.org/rfc/rfc2396.txt) lists the following special characters (not including the characters categorized as "unwise"):

: / # ? ; @ & = + $ , " < > %

Django escapes only two of those:

: /


Because of the limited escaping one can argue that strings as primary keys are not usuable in Django for a real-life application :-(

The attached patch provides a more complete escape routine.

The javascript code used in popup windows also doesn't escape the special characters very well. (but I haven't looked into that yet)

Attachments (3)

quoteurl.patch (644 bytes) - added by jdetaeye@… 8 years ago.
More complete url escape function
quoteurl.2.patch (3.3 KB) - added by jdetaeye@… 8 years ago.
Updated version of the patch
quoteurl_logentry.patch (589 bytes) - added by jdetaeye@… 8 years ago.
Updating also the logentry

Download all attachments as: .zip

Change History (8)

Changed 8 years ago by jdetaeye@…

More complete url escape function

comment:1 Changed 8 years ago by Simon G. <dev@…>

  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Ready for checkin

comment:2 Changed 8 years ago by jdetaeye@…

The attached patch also addresses the issue described in ticket #5045.

comment:3 Changed 8 years ago by jdetaeye@…

I noticed that also the deletion of entities with special characters is failing. The links show on the admin page to confirm the deletion are not using the quote function.
I'm uploading a new version of the patch.

Changed 8 years ago by jdetaeye@…

Updated version of the patch

Changed 8 years ago by jdetaeye@…

Updating also the logentry

comment:4 Changed 8 years ago by jdetaeye@…

  • Triage Stage changed from Ready for checkin to Accepted

Found yet another place where the escaping is insufficient: the log entries on the main admin page.

Because of my recent updates, I am also setting the triage stage back from 'ready for checkin' to 'accepted'...

comment:5 Changed 8 years ago by Simon G. <dev@…>

  • Resolution set to wontfix
  • Status changed from new to closed

wontfixed in favor of #5490.

Note: See TracTickets for help on using tickets.
Back to Top