#8258 closed (duplicate)
Double escaping in admin delete confirmation
| Reported by: | Julien Phalip | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description
As reported by Pryankster in [1], the related objects to be deleted and listed in the admin's delete confirmation page are escaped twice: once in admin.util.get_deleted_objects() and once in the unordered_list filter.
[1] http://groups.google.com/group/django-users/browse_thread/thread/911d5a0f6c53fdf2
Attachments (1)
Change History (4)
by , 16 years ago
| Attachment: | 8258.delete.autoescape.diff added |
|---|
comment:1 by , 16 years ago
| Patch needs improvement: | set |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
That patch is not the right solution. The filter should be made safestring-aware. There are plenty of filters that already do this, so they can be used as templates.
Turning off autescaping explicitly for short sections like that is usually a sign of trying to hide the symptoms of the real problem.
comment:2 by , 16 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
#6101 reported this a long time ago.
Note:
See TracTickets
for help on using tickets.
Turns off autoescaping in the unordered_list filter