Opened 17 years ago

Closed 17 years ago

#5041 closed (wontfix)

Admin pages insufficiently escape special characters in primary keys links

Reported by: jdetaeye@… Owned by: nobody
Component: contrib.admin Version: dev
Severity: Keywords: url encode string
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

To access the individual objects, the admin pages build urls which include the primary key.
My application has models with a string as primary key.
It turns out that the admin pages don't escape special characters in the primary keys very well.

RFC 2396 (see http://www.ietf.org/rfc/rfc2396.txt) lists the following special characters (not including the characters categorized as "unwise"):

: / # ? ; @ & = + $ , " < > %

Django escapes only two of those:

: /


Because of the limited escaping one can argue that strings as primary keys are not usuable in Django for a real-life application :-(

The attached patch provides a more complete escape routine.

The javascript code used in popup windows also doesn't escape the special characters very well. (but I haven't looked into that yet)

Attachments (3)

quoteurl.patch (644 bytes ) - added by jdetaeye@… 17 years ago.
More complete url escape function
quoteurl.2.patch (3.3 KB ) - added by jdetaeye@… 17 years ago.
Updated version of the patch
quoteurl_logentry.patch (589 bytes ) - added by jdetaeye@… 17 years ago.
Updating also the logentry

Download all attachments as: .zip

Change History (8)

by jdetaeye@…, 17 years ago

Attachment: quoteurl.patch added

More complete url escape function

comment:1 by Simon G. <dev@…>, 17 years ago

Has patch: set
Triage Stage: UnreviewedReady for checkin

comment:2 by jdetaeye@…, 17 years ago

The attached patch also addresses the issue described in ticket #5045.

comment:3 by jdetaeye@…, 17 years ago

I noticed that also the deletion of entities with special characters is failing. The links show on the admin page to confirm the deletion are not using the quote function.
I'm uploading a new version of the patch.

by jdetaeye@…, 17 years ago

Attachment: quoteurl.2.patch added

Updated version of the patch

by jdetaeye@…, 17 years ago

Attachment: quoteurl_logentry.patch added

Updating also the logentry

comment:4 by jdetaeye@…, 17 years ago

Triage Stage: Ready for checkinAccepted

Found yet another place where the escaping is insufficient: the log entries on the main admin page.

Because of my recent updates, I am also setting the triage stage back from 'ready for checkin' to 'accepted'...

comment:5 by Simon G. <dev@…>, 17 years ago

Resolution: wontfix
Status: newclosed

wontfixed in favor of #5490.

Note: See TracTickets for help on using tickets.
Back to Top