Opened 17 years ago

Closed 16 years ago

Last modified 13 years ago

#5490 closed (fixed)

newforms-admin: Admin pages insufficiently escape special characters in primary keys links

Reported by: jdetaeye Owned by: Brian Rosner
Component: contrib.admin Version: newforms-admin
Severity: Keywords: nfa-blocker, ep2008
Cc: jdetaeye@…, cmawebsite@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

This is the same issue as reported in #5041, but tested and patched in the newforms-admin.

To reproduce:

  • create a model with a string as primary key
  • create a record with name ": / # ? ; @ & = + $ , " < > %"

In the admin ui you can now find the following problems:
1) link from the 'change list' to the 'change form' doesn't work
2) the link displayed in the 'recent actions' doesn't work
3) the links displayed on the 'delete confirmation' page doesn't work

Attachments (3)

ecaping_url.patch (7.4 KB ) - added by jdetaeye 17 years ago.
patch
urlquote.diff (2.8 KB ) - added by tlpinney 17 years ago.
urlquote_string_primarekey_with_tests.diff (10.1 KB ) - added by Remco Wendt 16 years ago.
Updated patch and added unit tests

Download all attachments as: .zip

Change History (20)

by jdetaeye, 17 years ago

Attachment: ecaping_url.patch added

patch

comment:1 by Simon G. <dev@…>, 17 years ago

Triage Stage: UnreviewedReady for checkin

comment:2 by jdetaeye, 17 years ago

Cc: jdetaeye@… added

comment:3 by James Bennett, 17 years ago

Owner: changed from nobody to xian

Reassigning to Christian so he'll see it, since he's doing newforms-admin template stuff.

comment:4 by jdetaeye, 17 years ago

The patch is slightly out of date since the introduction of the auto-escaping...

comment:5 by Brian Rosner, 17 years ago

Keywords: nfa-blocker added; newforms-admin removed
Patch needs improvement: set
Triage Stage: Ready for checkinAccepted

This should be included before the merge into trunk. Bumping down to Accepted since it needs a new patch against newforms-admin.

by tlpinney, 17 years ago

Attachment: urlquote.diff added

comment:6 by Marc Garcia, 16 years ago

milestone: 1.0 alpha

comment:7 by Remco Wendt, 16 years ago

Keywords: ep2008 added
Owner: changed from xian to Remco Wendt
Status: newassigned

I'm having another look at this ticket and the supplied patches

comment:8 by Remco Wendt, 16 years ago

Needs tests: set

These changes at least need tests

comment:9 by Remco Wendt, 16 years ago

Work for this also seems to have been done in #1375

comment:10 by Remco Wendt, 16 years ago

Updated patch to include unit tests and changed the locations of where the actual urlquote is being done.

by Remco Wendt, 16 years ago

Updated patch and added unit tests

comment:11 by anonymous, 16 years ago

I have tested latest patch with browsers. All test passed. It works fine with Opera 9.51, FF3 and Konqueror 3.5.9.

comment:12 by Remco Wendt, 16 years ago

Yes I've done the same thing to be sure that the quoting has the same semantics in all browser, I've tested on Safari, FF3 (mac), FF (windows), IE6 & 7 and Camino. Works great. I'll ask Honza to triage this tomorrow and then it can be checked in.

comment:13 by Honza Král, 16 years ago

Needs tests: unset
Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

marking this ready for checkin as part of the sprint, the attached tests pass and it has been tested on firefox, konqueror and IE

comment:14 by Brian Rosner, 16 years ago

Owner: changed from Remco Wendt to Brian Rosner
Status: assignednew

comment:15 by anonymous, 16 years ago

Cc: cmawebsite@… added

comment:16 by Brian Rosner, 16 years ago

Resolution: fixed
Status: newclosed

(In [7935]) newforms-admin: Fixed #5490 -- Properly quote special characters in primary keys in the admin. Added tests to ensure functionality. This also moves quote and unquote to django/contrib/admin/util.py. Thanks jdetaeye and shanx for all your help.

comment:17 by Jacob, 13 years ago

milestone: 1.0 alpha

Milestone 1.0 alpha deleted

Note: See TracTickets for help on using tickets.
Back to Top