Opened 17 years ago

Closed 17 years ago

#6226 closed (fixed)

Newforms-admin escapes html tags when allow_tags is set

Reported by: michelts@… Owned by: Jeffrey Gelens
Component: contrib.admin Version: newforms-admin
Severity: Keywords: nfa-blocker newforms admin auto escape allow_tags
Cc: michelts@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Newforms-admin apply autoescape to a function output even when this function has the "allow_tags" attribute defined. There must be a way to output escape aware content from functions to the admin interface in order to output html content.

Attachments (1)

allow_tags_fix.diff (590 bytes ) - added by Jeffrey Gelens 17 years ago.
patch

Download all attachments as: .zip

Change History (9)

comment:1 by Chris Beaven, 17 years ago

You can probably achieve outputting html by just using mark_safe(). Perhaps the documentation needs to be updated to remove the allow_tags reference?

comment:2 by Michel Sabchuk, 17 years ago

No I can´t :) See above:

from django.db import models
from django.utils.safestring import mark_safe
from django.contrib import admin

class Example(models.Model):
    name = models.CharField()
    def test(self):
        return mark_safe('<b>%s</b>' % (self.name))

class ExampleOptions(admin.ModelAdmin):
    list_display = ('name', 'test')

admin_site = admin.AdminSite()
admin_site.register(Example, ExampleOptions)

This should output the name in bold weight but this is not true for now. But I agree with you, allow_tags should not be available in favor of mark_safe or some SafeData subclass ;)

comment:3 by Michel Sabchuk, 17 years ago

I found my mistake, I need to set the "allow_tags" attribute even if I return a safe string. See above:

class Example(models.Model):
    name = models.CharField()
    def test(self):
        return mark_safe('<b>%s</b>' % (self.name))
    test.allow_tags = True

Maybe we should remove the allow_tags attribute?

by Jeffrey Gelens, 17 years ago

Attachment: allow_tags_fix.diff added

patch

comment:4 by Jeffrey Gelens, 17 years ago

Created a patch so that mark_safe doesn't have to be used explicitly. This is conform the current documentation. This bug is already fixed in the trunk, but wasn't in the newforms-admin branch.

comment:5 by Jeffrey Gelens, 17 years ago

Has patch: set
Owner: changed from nobody to Jeffrey Gelens
Status: newassigned

comment:6 by Brian Rosner, 17 years ago

Triage Stage: UnreviewedReady for checkin

I was messing around with merging branches and noticed that trunk does this, but newforms-admin does not.

comment:7 by Brian Rosner, 17 years ago

Keywords: nfa-blocker added

comment:8 by Brian Rosner, 17 years ago

Resolution: fixed
Status: assignedclosed

Ugh, the post commit hook is not closing tickets. This was fixed in [7394].

Note: See TracTickets for help on using tickets.
Back to Top