Opened 18 years ago

Closed 18 years ago

Last modified 17 years ago

#758 closed defect (fixed)

django_admin_log items should be HTML-escaped when shown in admin interface

Reported by: Tom Tobin <korpios@…> Owned by: Adrian Holovaty
Component: contrib.admin Version:
Severity: normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Admin actions are currently added to the django_admin_log table with the object_repr column set to the object's __repr__. When displayed in the "Recent Actions" sidebar in the admin, however, these bits of text are not escaped to be HTML-safe; anything enclosed in <angle brackets>, for instance, seems invisible to the admin interface user as the browser interprets it as a tag.

Change History (3)

comment:1 by Tom Tobin <korpios@…>, 18 years ago

In the admin/index template, changing {{ entry.object_repr }} to {{ entry.object_repr|escape }} would do the trick.

comment:2 by Adrian Holovaty, 18 years ago

Resolution: fixed
Status: newclosed

(In [1149]) Fixed #758 -- HTML-escaped admin log items in admin index template. Thanks, Tom Tobin

comment:3 by korpios, 17 years ago

Reporter: changed from Tom Tobin <korpios@…> to Tom Tobin <korpios@…>
Note: See TracTickets for help on using tickets.
Back to Top