From 4decf03f9ceb0162a7de757cdb3985100faf028b Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Fri, 11 Sep 2009 09:42:17 +0000 Subject: [PATCH] Fixed #11502 - wrong escaping in admin. Thanks Tomasz Elendt. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11497 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/admin/templatetags/admin_list.py | 2 +- django/contrib/admin/widgets.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/django/contrib/admin/templatetags/admin_list.py b/django/contrib/admin/templatetags/admin_list.py index 3c545539ee..9a4ce3b266 100644 --- a/django/contrib/admin/templatetags/admin_list.py +++ b/django/contrib/admin/templatetags/admin_list.py @@ -265,7 +265,7 @@ def date_hierarchy(cl): day_lookup = cl.params.get(day_field) year_month_format, month_day_format = get_partial_date_formats() - link = lambda d: mark_safe(cl.get_query_string(d, [field_generic])) + link = lambda d: cl.get_query_string(d, [field_generic]) if year_lookup and month_lookup and day_lookup: day = datetime.date(int(year_lookup), int(month_lookup), int(day_lookup)) diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py index eacea44a31..fb5acb5295 100644 --- a/django/contrib/admin/widgets.py +++ b/django/contrib/admin/widgets.py @@ -7,6 +7,7 @@ import copy from django import forms from django.forms.widgets import RadioFieldRenderer from django.forms.util import flatatt +from django.utils.html import escape from django.utils.text import truncate_words from django.utils.translation import ugettext as _ from django.utils.safestring import mark_safe @@ -148,7 +149,7 @@ class ForeignKeyRawIdWidget(forms.TextInput): def label_for_value(self, value): key = self.rel.get_related_field().name obj = self.rel.to._default_manager.get(**{key: value}) - return ' %s' % truncate_words(obj, 14) + return ' %s' % escape(truncate_words(obj, 14)) class ManyToManyRawIdWidget(ForeignKeyRawIdWidget): """