Context Navigation

← Previous Ticket
Next Ticket →

#6226 closed (fixed)

Newforms-admin escapes html tags when allow_tags is set

Reported by:	michelts@…	Owned by:	Jeffrey Gelens
Component:	contrib.admin	Version:	newforms-admin
Severity:		Keywords:	nfa-blocker newforms admin auto escape allow_tags
Cc:	michelts@…	Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Newforms-admin apply autoescape to a function output even when this function has the "allow_tags" attribute defined. There must be a way to output escape aware content from functions to the admin interface in order to output html content.

Attachments (1)

allow_tags_fix.diff (590 bytes ) - added by Jeffrey Gelens 16 years ago.: patch

Download all attachments as: .zip

Change History (9)

comment:1 by Chris Beaven, 16 years ago

You can probably achieve outputting html by just using mark_safe(). Perhaps the documentation needs to be updated to remove the allow_tags reference?

comment:2 by Michel Sabchuk, 16 years ago

No I can´t :) See above:

from django.db import models
from django.utils.safestring import mark_safe
from django.contrib import admin

class Example(models.Model):
    name = models.CharField()
    def test(self):
        return mark_safe('<b>%s</b>' % (self.name))

class ExampleOptions(admin.ModelAdmin):
    list_display = ('name', 'test')

admin_site = admin.AdminSite()
admin_site.register(Example, ExampleOptions)

This should output the name in bold weight but this is not true for now. But I agree with you, allow_tags should not be available in favor of mark_safe or some SafeData subclass ;)

comment:3 by Michel Sabchuk, 16 years ago

I found my mistake, I need to set the "allow_tags" attribute even if I return a safe string. See above:

class Example(models.Model):
    name = models.CharField()
    def test(self):
        return mark_safe('<b>%s</b>' % (self.name))
    test.allow_tags = True

Maybe we should remove the allow_tags attribute?

by Jeffrey Gelens, 16 years ago

Attachment:	allow_tags_fix.diff added

patch

comment:4 by Jeffrey Gelens, 16 years ago

Created a patch so that mark_safe doesn't have to be used explicitly. This is conform the current documentation. This bug is already fixed in the trunk, but wasn't in the newforms-admin branch.

comment:5 by Jeffrey Gelens, 16 years ago

Has patch:	set
Owner:	changed from nobody to Jeffrey Gelens
Status:	new → assigned

comment:6 by Brian Rosner, 16 years ago

Triage Stage:	Unreviewed → Ready for checkin

I was messing around with merging branches and noticed that trunk does this, but newforms-admin does not.

comment:7 by Brian Rosner, 16 years ago

Keywords:	nfa-blocker added

comment:8 by Brian Rosner, 16 years ago

Resolution:	→ fixed
Status:	assigned → closed

Ugh, the post commit hook is not closing tickets. This was fixed in [7394].

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues