Opened 16 years ago

Closed 16 years ago

Last modified 13 years ago

#8258 closed (duplicate)

Double escaping in admin delete confirmation

Reported by: Julien Phalip Owned by: nobody
Component: contrib.admin Version: dev
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

As reported by Pryankster in [1], the related objects to be deleted and listed in the admin's delete confirmation page are escaped twice: once in admin.util.get_deleted_objects() and once in the unordered_list filter.

[1] http://groups.google.com/group/django-users/browse_thread/thread/911d5a0f6c53fdf2

Attachments (1)

8258.delete.autoescape.diff (896 bytes ) - added by Julien Phalip 16 years ago.
Turns off autoescaping in the unordered_list filter

Download all attachments as: .zip

Change History (4)

by Julien Phalip, 16 years ago

Attachment: 8258.delete.autoescape.diff added

Turns off autoescaping in the unordered_list filter

comment:1 by Malcolm Tredinnick, 16 years ago

Patch needs improvement: set
Triage Stage: UnreviewedAccepted

That patch is not the right solution. The filter should be made safestring-aware. There are plenty of filters that already do this, so they can be used as templates.

Turning off autescaping explicitly for short sections like that is usually a sign of trying to hide the symptoms of the real problem.

comment:2 by anonymous, 16 years ago

Resolution: duplicate
Status: newclosed

#6101 reported this a long time ago.

comment:3 by Jacob, 13 years ago

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top