Opened 8 years ago

Closed 8 years ago

Last modified 5 years ago

#8258 closed (duplicate)

Double escaping in admin delete confirmation

Reported by: julien Owned by: nobody
Component: contrib.admin Version: master
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: UI/UX:


As reported by Pryankster in [1], the related objects to be deleted and listed in the admin's delete confirmation page are escaped twice: once in admin.util.get_deleted_objects() and once in the unordered_list filter.


Attachments (1)

8258.delete.autoescape.diff (896 bytes) - added by julien 8 years ago.
Turns off autoescaping in the unordered_list filter

Download all attachments as: .zip

Change History (4)

Changed 8 years ago by julien

Turns off autoescaping in the unordered_list filter

comment:1 Changed 8 years ago by mtredinnick

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement set
  • Triage Stage changed from Unreviewed to Accepted

That patch is not the right solution. The filter should be made safestring-aware. There are plenty of filters that already do this, so they can be used as templates.

Turning off autescaping explicitly for short sections like that is usually a sign of trying to hide the symptoms of the real problem.

comment:2 Changed 8 years ago by anonymous

  • Resolution set to duplicate
  • Status changed from new to closed

#6101 reported this a long time ago.

comment:3 Changed 5 years ago by jacob

  • milestone 1.0 deleted

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top