Opened 8 years ago

Closed 7 years ago

#6226 closed (fixed)

Newforms-admin escapes html tags when allow_tags is set

Reported by: michelts@… Owned by: jgelens
Component: contrib.admin Version: newforms-admin
Severity: Keywords: nfa-blocker newforms admin auto escape allow_tags
Cc: michelts@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Newforms-admin apply autoescape to a function output even when this function has the "allow_tags" attribute defined. There must be a way to output escape aware content from functions to the admin interface in order to output html content.

Attachments (1)

allow_tags_fix.diff (590 bytes) - added by jgelens 7 years ago.
patch

Download all attachments as: .zip

Change History (9)

comment:1 Changed 8 years ago by SmileyChris

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

You can probably achieve outputting html by just using mark_safe(). Perhaps the documentation needs to be updated to remove the allow_tags reference?

comment:2 Changed 8 years ago by michelts

No I can´t :) See above:

from django.db import models
from django.utils.safestring import mark_safe
from django.contrib import admin

class Example(models.Model):
    name = models.CharField()
    def test(self):
        return mark_safe('<b>%s</b>' % (self.name))

class ExampleOptions(admin.ModelAdmin):
    list_display = ('name', 'test')

admin_site = admin.AdminSite()
admin_site.register(Example, ExampleOptions)

This should output the name in bold weight but this is not true for now. But I agree with you, allow_tags should not be available in favor of mark_safe or some SafeData subclass ;)

comment:3 Changed 8 years ago by michelts

I found my mistake, I need to set the "allow_tags" attribute even if I return a safe string. See above:

class Example(models.Model):
    name = models.CharField()
    def test(self):
        return mark_safe('<b>%s</b>' % (self.name))
    test.allow_tags = True

Maybe we should remove the allow_tags attribute?

Changed 7 years ago by jgelens

patch

comment:4 Changed 7 years ago by jgelens

Created a patch so that mark_safe doesn't have to be used explicitly. This is conform the current documentation. This bug is already fixed in the trunk, but wasn't in the newforms-admin branch.

comment:5 Changed 7 years ago by jgelens

  • Has patch set
  • Owner changed from nobody to jgelens
  • Status changed from new to assigned

comment:6 Changed 7 years ago by brosner

  • Triage Stage changed from Unreviewed to Ready for checkin

I was messing around with merging branches and noticed that trunk does this, but newforms-admin does not.

comment:7 Changed 7 years ago by brosner

  • Keywords nfa-blocker added

comment:8 Changed 7 years ago by brosner

  • Resolution set to fixed
  • Status changed from assigned to closed

Ugh, the post commit hook is not closing tickets. This was fixed in [7394].

Note: See TracTickets for help on using tickets.
Back to Top