django_admin_log items should be HTML-escaped when shown in admin interface
|Reported by:||Tom Tobin <korpios@…>||Owned by:||adrian|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Admin actions are currently added to the django_admin_log table with the object_repr column set to the object's __repr__. When displayed in the "Recent Actions" sidebar in the admin, however, these bits of text are not escaped to be HTML-safe; anything enclosed in <angle brackets>, for instance, seems invisible to the admin interface user as the browser interprets it as a tag.