Opened 8 years ago

Closed 8 years ago

Last modified 5 years ago

#8258 closed (duplicate)

Double escaping in admin delete confirmation

Reported by: Julien Phalip Owned by: nobody
Component: contrib.admin Version: master
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: UI/UX:


As reported by Pryankster in [1], the related objects to be deleted and listed in the admin's delete confirmation page are escaped twice: once in admin.util.get_deleted_objects() and once in the unordered_list filter.


Attachments (1)

8258.delete.autoescape.diff (896 bytes) - added by Julien Phalip 8 years ago.
Turns off autoescaping in the unordered_list filter

Download all attachments as: .zip

Change History (4)

Changed 8 years ago by Julien Phalip

Attachment: 8258.delete.autoescape.diff added

Turns off autoescaping in the unordered_list filter

comment:1 Changed 8 years ago by Malcolm Tredinnick

Needs documentation: unset
Needs tests: unset
Patch needs improvement: set
Triage Stage: UnreviewedAccepted

That patch is not the right solution. The filter should be made safestring-aware. There are plenty of filters that already do this, so they can be used as templates.

Turning off autescaping explicitly for short sections like that is usually a sign of trying to hide the symptoms of the real problem.

comment:2 Changed 8 years ago by anonymous

Resolution: duplicate
Status: newclosed

#6101 reported this a long time ago.

comment:3 Changed 5 years ago by Jacob

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top