Code

Opened 7 years ago

Closed 6 years ago

Last modified 3 years ago

#5490 closed (fixed)

newforms-admin: Admin pages insufficiently escape special characters in primary keys links

Reported by: jdetaeye Owned by: brosner
Component: contrib.admin Version: newforms-admin
Severity: Keywords: nfa-blocker, ep2008
Cc: jdetaeye@…, cmawebsite@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

This is the same issue as reported in #5041, but tested and patched in the newforms-admin.

To reproduce:

  • create a model with a string as primary key
  • create a record with name ": / # ? ; @ & = + $ , " < > %"

In the admin ui you can now find the following problems:
1) link from the 'change list' to the 'change form' doesn't work
2) the link displayed in the 'recent actions' doesn't work
3) the links displayed on the 'delete confirmation' page doesn't work

Attachments (3)

ecaping_url.patch (7.4 KB) - added by jdetaeye 7 years ago.
patch
urlquote.diff (2.8 KB) - added by tlpinney 6 years ago.
urlquote_string_primarekey_with_tests.diff (10.1 KB) - added by shanx 6 years ago.
Updated patch and added unit tests

Download all attachments as: .zip

Change History (20)

Changed 7 years ago by jdetaeye

patch

comment:1 Changed 7 years ago by Simon G. <dev@…>

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Ready for checkin

comment:2 Changed 7 years ago by jdetaeye

  • Cc jdetaeye@… added

comment:3 Changed 7 years ago by ubernostrum

  • Owner changed from nobody to xian

Reassigning to Christian so he'll see it, since he's doing newforms-admin template stuff.

comment:4 Changed 7 years ago by jdetaeye

The patch is slightly out of date since the introduction of the auto-escaping...

comment:5 Changed 7 years ago by brosner

  • Keywords nfa-blocker added; newforms-admin removed
  • Patch needs improvement set
  • Triage Stage changed from Ready for checkin to Accepted

This should be included before the merge into trunk. Bumping down to Accepted since it needs a new patch against newforms-admin.

Changed 6 years ago by tlpinney

comment:6 Changed 6 years ago by garcia_marc

  • milestone set to 1.0 alpha

comment:7 Changed 6 years ago by shanx

  • Keywords nfa-blocker, ep2008 added; nfa-blocker removed
  • Owner changed from xian to shanx
  • Status changed from new to assigned

I'm having another look at this ticket and the supplied patches

comment:8 Changed 6 years ago by shanx

  • Needs tests set

These changes at least need tests

comment:9 Changed 6 years ago by shanx

Work for this also seems to have been done in #1375

comment:10 Changed 6 years ago by shanx

Updated patch to include unit tests and changed the locations of where the actual urlquote is being done.

Changed 6 years ago by shanx

Updated patch and added unit tests

comment:11 Changed 6 years ago by anonymous

I have tested latest patch with browsers. All test passed. It works fine with Opera 9.51, FF3 and Konqueror 3.5.9.

comment:12 Changed 6 years ago by shanx

Yes I've done the same thing to be sure that the quoting has the same semantics in all browser, I've tested on Safari, FF3 (mac), FF (windows), IE6 & 7 and Camino. Works great. I'll ask Honza to triage this tomorrow and then it can be checked in.

comment:13 Changed 6 years ago by Honza_Kral

  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Accepted to Ready for checkin

marking this ready for checkin as part of the sprint, the attached tests pass and it has been tested on firefox, konqueror and IE

comment:14 Changed 6 years ago by brosner

  • Owner changed from shanx to brosner
  • Status changed from assigned to new

comment:15 Changed 6 years ago by anonymous

  • Cc cmawebsite@… added

comment:16 Changed 6 years ago by brosner

  • Resolution set to fixed
  • Status changed from new to closed

(In [7935]) newforms-admin: Fixed #5490 -- Properly quote special characters in primary keys in the admin. Added tests to ensure functionality. This also moves quote and unquote to django/contrib/admin/util.py. Thanks jdetaeye and shanx for all your help.

comment:17 Changed 3 years ago by jacob

  • milestone 1.0 alpha deleted

Milestone 1.0 alpha deleted

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.