Opened 7 years ago

Closed 7 years ago

Last modified 3 years ago

#8258 closed (duplicate)

Double escaping in admin delete confirmation

Reported by: julien Owned by: nobody
Component: contrib.admin Version: master
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: UI/UX:

Description

As reported by Pryankster in [1], the related objects to be deleted and listed in the admin's delete confirmation page are escaped twice: once in admin.util.get_deleted_objects() and once in the unordered_list filter.

[1] http://groups.google.com/group/django-users/browse_thread/thread/911d5a0f6c53fdf2

Attachments (1)

8258.delete.autoescape.diff (896 bytes) - added by julien 7 years ago.
Turns off autoescaping in the unordered_list filter

Download all attachments as: .zip

Change History (4)

Changed 7 years ago by julien

Turns off autoescaping in the unordered_list filter

comment:1 Changed 7 years ago by mtredinnick

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement set
  • Triage Stage changed from Unreviewed to Accepted

That patch is not the right solution. The filter should be made safestring-aware. There are plenty of filters that already do this, so they can be used as templates.

Turning off autescaping explicitly for short sections like that is usually a sign of trying to hide the symptoms of the real problem.

comment:2 Changed 7 years ago by anonymous

  • Resolution set to duplicate
  • Status changed from new to closed

#6101 reported this a long time ago.

comment:3 Changed 3 years ago by jacob

  • milestone 1.0 deleted

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top