Opened 13 years ago

Closed 13 years ago

Last modified 12 years ago

#660 closed defect (fixed)

admin executes template code that happens to be in strings in the list views

Reported by: hugo Owned by: Adrian Holovaty
Component: contrib.admin Version:
Severity: normal Keywords: new-admin
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


When you have a field that stores template snippets and add that field to the list_display tuple to show up in admin list views, the template code in those snippets is evaluated. I suppose this is because of the dynamic creation of the admin template code.

Change History (3)

comment:1 Changed 13 years ago by hugo

Would this maybe fixed with the new_admin branch? Otherwise it definitely needs a solution, as it would allow users to break the admin templates by including broken template code in string fields. And if the shown strings are editable from the outside (maybe within the commenting system), even outside users could break the admin.

comment:2 Changed 13 years ago by rjwittams

Keywords: new-admin added

comment:3 Changed 13 years ago by rjwittams

Resolution: fixed
Status: newclosed

Fixed in new-admin merge.

Note: See TracTickets for help on using tickets.
Back to Top