Admin pages insufficiently escape special characters in primary keys links
|Reported by:||Owned by:||nobody|
|Severity:||Keywords:||url encode string|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
To access the individual objects, the admin pages build urls which include the primary key.
My application has models with a string as primary key.
It turns out that the admin pages don't escape special characters in the primary keys very well.
RFC 2396 (see http://www.ietf.org/rfc/rfc2396.txt) lists the following special characters (not including the characters categorized as "unwise"):
: / # ? ; @ & = + $ , " < > %
Django escapes only two of those:
Because of the limited escaping one can argue that strings as primary keys are not usuable in Django for a real-life application :-(
The attached patch provides a more complete escape routine.
Change History (8)
comment:1 Changed 9 years ago by
|Patch needs improvement:||unset|
|Triage Stage:||Unreviewed → Ready for checkin|