django_admin_log items should be HTML-escaped when shown in admin interface
Admin actions are currently added to the django_admin_log
table with the object_repr
column set to the object's __repr__
. When displayed in the "Recent Actions" sidebar in the admin, however, these bits of text are not escaped to be HTML-safe; anything enclosed in <angle brackets>
, for instance, seems invisible to the admin interface user as the browser interprets it as a tag.
Change History
(3)
Resolution: |
→ fixed
|
Status: |
new → closed
|
Reporter: |
changed from Tom Tobin <korpios@…> to Tom Tobin <korpios@…>
|
In the
admin/index
template, changing{{ entry.object_repr }}
to{{ entry.object_repr|escape }}
would do the trick.