Opened 10 years ago

Closed 10 years ago

Last modified 8 years ago

#758 closed defect (fixed)

django_admin_log items should be HTML-escaped when shown in admin interface

Reported by: Tom Tobin <korpios@…> Owned by: adrian
Component: contrib.admin Version:
Severity: normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


Admin actions are currently added to the django_admin_log table with the object_repr column set to the object's __repr__. When displayed in the "Recent Actions" sidebar in the admin, however, these bits of text are not escaped to be HTML-safe; anything enclosed in <angle brackets>, for instance, seems invisible to the admin interface user as the browser interprets it as a tag.

Change History (3)

comment:1 Changed 10 years ago by Tom Tobin <korpios@…>

In the admin/index template, changing {{ entry.object_repr }} to {{ entry.object_repr|escape }} would do the trick.

comment:2 Changed 10 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [1149]) Fixed #758 -- HTML-escaped admin log items in admin index template. Thanks, Tom Tobin

comment:3 Changed 8 years ago by korpios

  • Reporter changed from Tom Tobin <korpios@…> to Tom Tobin <korpios@…>
Note: See TracTickets for help on using tickets.
Back to Top