#8258 closed (duplicate)
Double escaping in admin delete confirmation
Reported by: | Julien Phalip | Owned by: | nobody |
---|---|---|---|
Component: | contrib.admin | Version: | dev |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
As reported by Pryankster in [1], the related objects to be deleted and listed in the admin's delete confirmation page are escaped twice: once in admin.util.get_deleted_objects()
and once in the unordered_list
filter.
[1] http://groups.google.com/group/django-users/browse_thread/thread/911d5a0f6c53fdf2
Attachments (1)
Change History (4)
by , 16 years ago
Attachment: | 8258.delete.autoescape.diff added |
---|
comment:1 by , 16 years ago
Patch needs improvement: | set |
---|---|
Triage Stage: | Unreviewed → Accepted |
That patch is not the right solution. The filter should be made safestring-aware. There are plenty of filters that already do this, so they can be used as templates.
Turning off autescaping explicitly for short sections like that is usually a sign of trying to hide the symptoms of the real problem.
comment:2 by , 16 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
#6101 reported this a long time ago.
Turns off autoescaping in the unordered_list filter