Opened 10 years ago

Closed 10 years ago

Last modified 9 years ago

#660 closed defect (fixed)

admin executes template code that happens to be in strings in the list views

Reported by: hugo Owned by: adrian
Component: contrib.admin Version:
Severity: normal Keywords: new-admin
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


When you have a field that stores template snippets and add that field to the list_display tuple to show up in admin list views, the template code in those snippets is evaluated. I suppose this is because of the dynamic creation of the admin template code.

Change History (3)

comment:1 Changed 10 years ago by hugo

Would this maybe fixed with the new_admin branch? Otherwise it definitely needs a solution, as it would allow users to break the admin templates by including broken template code in string fields. And if the shown strings are editable from the outside (maybe within the commenting system), even outside users could break the admin.

comment:2 Changed 10 years ago by rjwittams

  • Keywords new-admin added

comment:3 Changed 10 years ago by rjwittams

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in new-admin merge.

Note: See TracTickets for help on using tickets.
Back to Top