From 09da1666090b12cd1a4d716ba417c96133b0fa3b Mon Sep 17 00:00:00 2001 From: Adrian Holovaty Date: Sun, 15 Jan 2006 06:28:41 +0000 Subject: [PATCH] Fixed #615 -- Admin views now use escape() instead of strip_tags(). Thanks, Sune Kirkeby git-svn-id: http://code.djangoproject.com/svn/django/trunk@1982 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/admin/templatetags/admin_list.py | 6 +++--- django/contrib/admin/views/main.py | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/django/contrib/admin/templatetags/admin_list.py b/django/contrib/admin/templatetags/admin_list.py index 471f1930a9..beb9f7f4d0 100644 --- a/django/contrib/admin/templatetags/admin_list.py +++ b/django/contrib/admin/templatetags/admin_list.py @@ -4,7 +4,7 @@ from django.contrib.admin.views.main import IS_POPUP_VAR, EMPTY_CHANGELIST_VALUE from django.core import meta, template from django.core.exceptions import ObjectDoesNotExist from django.utils import dateformat -from django.utils.html import strip_tags, escape +from django.utils.html import escape from django.utils.text import capfirst from django.utils.translation import get_date_formats from django.conf.settings import ADMIN_MEDIA_PREFIX @@ -122,7 +122,7 @@ def items_for_result(cl, result): # Strip HTML tags in the resulting text, except if the # function has an "allow_tags" attribute set to True. if not getattr(func, 'allow_tags', False): - result_repr = strip_tags(result_repr) + result_repr = escape(result_repr) else: field_val = getattr(result, f.attname) @@ -163,7 +163,7 @@ def items_for_result(cl, result): elif f.choices: result_repr = dict(f.choices).get(field_val, EMPTY_CHANGELIST_VALUE) else: - result_repr = strip_tags(str(field_val)) + result_repr = escape(str(field_val)) if result_repr == '': result_repr = ' ' if first: # First column is a special case diff --git a/django/contrib/admin/views/main.py b/django/contrib/admin/views/main.py index 388203efac..65d96a8780 100644 --- a/django/contrib/admin/views/main.py +++ b/django/contrib/admin/views/main.py @@ -13,7 +13,7 @@ try: from django.models.admin import log except ImportError: raise ImproperlyConfigured, "You don't have 'django.contrib.admin' in INSTALLED_APPS." -from django.utils.html import strip_tags +from django.utils.html import escape from django.utils.httpwrappers import HttpResponse, HttpResponseRedirect from django.utils.text import capfirst, get_text_list from django.utils import dateformat @@ -588,11 +588,11 @@ def _get_deleted_objects(deleted_objects, perms_needed, user, obj, opts, current if related.field.rel.edit_inline or not related.opts.admin: # Don't display link to edit, because it either has no # admin or is edited inline. - nh(deleted_objects, current_depth, ['%s: %s' % (capfirst(related.opts.verbose_name), strip_tags(str(sub_obj))), []]) + nh(deleted_objects, current_depth, ['%s: %s' % (capfirst(related.opts.verbose_name), escape(str(sub_obj))), []]) else: # Display a link to the admin page. nh(deleted_objects, current_depth, ['%s: %s' % \ - (capfirst(related.opts.verbose_name), related.opts.app_label, related.opts.module_name, getattr(sub_obj, related.opts.pk.attname), strip_tags(str(sub_obj))), []]) + (capfirst(related.opts.verbose_name), related.opts.app_label, related.opts.module_name, getattr(sub_obj, related.opts.pk.attname), escape(str(sub_obj))), []]) _get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2) # If there were related objects, and the user doesn't have # permission to delete them, add the missing perm to perms_needed. @@ -612,13 +612,13 @@ def _get_deleted_objects(deleted_objects, perms_needed, user, obj, opts, current # Don't display link to edit, because it either has no # admin or is edited inline. nh(deleted_objects, current_depth, [_('One or more %(fieldname)s in %(name)s: %(obj)s') % \ - {'fieldname': related.field.name, 'name': related.opts.verbose_name, 'obj': strip_tags(str(sub_obj))}, []]) + {'fieldname': related.field.name, 'name': related.opts.verbose_name, 'obj': escape(str(sub_obj))}, []]) else: # Display a link to the admin page. nh(deleted_objects, current_depth, [ (_('One or more %(fieldname)s in %(name)s:') % {'fieldname': related.field.name, 'name':related.opts.verbose_name}) + \ (' %s' % \ - (related.opts.app_label, related.opts.module_name, getattr(sub_obj, related.opts.pk.attname), strip_tags(str(sub_obj)))), []]) + (related.opts.app_label, related.opts.module_name, getattr(sub_obj, related.opts.pk.attname), escape(str(sub_obj)))), []]) # If there were related objects, and the user doesn't have # permission to change them, add the missing perm to perms_needed. if related.opts.admin and has_related_objs: @@ -635,7 +635,7 @@ def delete_stage(request, app_label, module_name, object_id): # Populate deleted_objects, a data structure of all related objects that # will also be deleted. - deleted_objects = ['%s: %s' % (capfirst(opts.verbose_name), object_id, strip_tags(str(obj))), []] + deleted_objects = ['%s: %s' % (capfirst(opts.verbose_name), object_id, escape(str(obj))), []] perms_needed = sets.Set() _get_deleted_objects(deleted_objects, perms_needed, request.user, obj, opts, 1)