p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #615 -- Admin views now use escape() instead of strip_tags(). Thanks, Sune Kirkeby 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@1982 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty 2006-01-15 06:28:41 +00:00
parent d862908b67
commit 09da166609
2 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
django/contrib/admin/templatetags/admin_list.py
View File

@ -4,7 +4,7 @@ from django.contrib.admin.views.main import IS_POPUP_VAR, EMPTY_CHANGELIST_VALUE
from django.core import meta, template from django.core import meta, template
from django.core.exceptions import ObjectDoesNotExist from django.core.exceptions import ObjectDoesNotExist
from django.utils import dateformat from django.utils import dateformat
from django.utils.html import strip_tags, escape from django.utils.html import escape
from django.utils.text import capfirst from django.utils.text import capfirst
from django.utils.translation import get_date_formats from django.utils.translation import get_date_formats
from django.conf.settings import ADMIN_MEDIA_PREFIX from django.conf.settings import ADMIN_MEDIA_PREFIX
@ -122,7 +122,7 @@ def items_for_result(cl, result):
# Strip HTML tags in the resulting text, except if the # Strip HTML tags in the resulting text, except if the
# function has an "allow_tags" attribute set to True. # function has an "allow_tags" attribute set to True.
if not getattr(func, 'allow_tags', False): if not getattr(func, 'allow_tags', False):
result_repr = strip_tags(result_repr) result_repr = escape(result_repr)
else: else:
field_val = getattr(result, f.attname) field_val = getattr(result, f.attname)
@ -163,7 +163,7 @@ def items_for_result(cl, result):
elif f.choices: elif f.choices:
result_repr = dict(f.choices).get(field_val, EMPTY_CHANGELIST_VALUE) result_repr = dict(f.choices).get(field_val, EMPTY_CHANGELIST_VALUE)
else: else:
result_repr = strip_tags(str(field_val)) result_repr = escape(str(field_val))
if result_repr == '': if result_repr == '':
result_repr = ' ' result_repr = ' '
if first: # First column is a special case if first: # First column is a special case

12
django/contrib/admin/views/main.py
View File

@ -13,7 +13,7 @@ try:
from django.models.admin import log from django.models.admin import log
except ImportError: except ImportError:
raise ImproperlyConfigured, "You don't have 'django.contrib.admin' in INSTALLED_APPS." raise ImproperlyConfigured, "You don't have 'django.contrib.admin' in INSTALLED_APPS."
from django.utils.html import strip_tags from django.utils.html import escape
from django.utils.httpwrappers import HttpResponse, HttpResponseRedirect from django.utils.httpwrappers import HttpResponse, HttpResponseRedirect
from django.utils.text import capfirst, get_text_list from django.utils.text import capfirst, get_text_list
from django.utils import dateformat from django.utils import dateformat
@ -588,11 +588,11 @@ def _get_deleted_objects(deleted_objects, perms_needed, user, obj, opts, current
if related.field.rel.edit_inline or not related.opts.admin: if related.field.rel.edit_inline or not related.opts.admin:
# Don't display link to edit, because it either has no # Don't display link to edit, because it either has no
# admin or is edited inline. # admin or is edited inline.
nh(deleted_objects, current_depth, ['%s: %s' % (capfirst(related.opts.verbose_name), strip_tags(str(sub_obj))), []]) nh(deleted_objects, current_depth, ['%s: %s' % (capfirst(related.opts.verbose_name), escape(str(sub_obj))), []])
else: else:
# Display a link to the admin page. # Display a link to the admin page.
nh(deleted_objects, current_depth, ['%s: <a href="../../../../%s/%s/%s/">%s</a>' % \ nh(deleted_objects, current_depth, ['%s: <a href="../../../../%s/%s/%s/">%s</a>' % \
(capfirst(related.opts.verbose_name), related.opts.app_label, related.opts.module_name, getattr(sub_obj, related.opts.pk.attname), strip_tags(str(sub_obj))), []]) (capfirst(related.opts.verbose_name), related.opts.app_label, related.opts.module_name, getattr(sub_obj, related.opts.pk.attname), escape(str(sub_obj))), []])
_get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2) _get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2)
# If there were related objects, and the user doesn't have # If there were related objects, and the user doesn't have
# permission to delete them, add the missing perm to perms_needed. # permission to delete them, add the missing perm to perms_needed.
@ -612,13 +612,13 @@ def _get_deleted_objects(deleted_objects, perms_needed, user, obj, opts, current
# Don't display link to edit, because it either has no # Don't display link to edit, because it either has no
# admin or is edited inline. # admin or is edited inline.
nh(deleted_objects, current_depth, [_('One or more %(fieldname)s in %(name)s: %(obj)s') % \ nh(deleted_objects, current_depth, [_('One or more %(fieldname)s in %(name)s: %(obj)s') % \
{'fieldname': related.field.name, 'name': related.opts.verbose_name, 'obj': strip_tags(str(sub_obj))}, []]) {'fieldname': related.field.name, 'name': related.opts.verbose_name, 'obj': escape(str(sub_obj))}, []])
else: else:
# Display a link to the admin page. # Display a link to the admin page.
nh(deleted_objects, current_depth, [ nh(deleted_objects, current_depth, [
(_('One or more %(fieldname)s in %(name)s:') % {'fieldname': related.field.name, 'name':related.opts.verbose_name}) + \ (_('One or more %(fieldname)s in %(name)s:') % {'fieldname': related.field.name, 'name':related.opts.verbose_name}) + \
(' <a href="../../../../%s/%s/%s/">%s</a>' % \ (' <a href="../../../../%s/%s/%s/">%s</a>' % \
(related.opts.app_label, related.opts.module_name, getattr(sub_obj, related.opts.pk.attname), strip_tags(str(sub_obj)))), []]) (related.opts.app_label, related.opts.module_name, getattr(sub_obj, related.opts.pk.attname), escape(str(sub_obj)))), []])
# If there were related objects, and the user doesn't have # If there were related objects, and the user doesn't have
# permission to change them, add the missing perm to perms_needed. # permission to change them, add the missing perm to perms_needed.
if related.opts.admin and has_related_objs: if related.opts.admin and has_related_objs:
@ -635,7 +635,7 @@ def delete_stage(request, app_label, module_name, object_id):
# Populate deleted_objects, a data structure of all related objects that # Populate deleted_objects, a data structure of all related objects that
# will also be deleted. # will also be deleted.
deleted_objects = ['%s: <a href="../../%s/">%s</a>' % (capfirst(opts.verbose_name), object_id, strip_tags(str(obj))), []] deleted_objects = ['%s: <a href="../../%s/">%s</a>' % (capfirst(opts.verbose_name), object_id, escape(str(obj))), []]
perms_needed = sets.Set() perms_needed = sets.Set()
_get_deleted_objects(deleted_objects, perms_needed, request.user, obj, opts, 1) _get_deleted_objects(deleted_objects, perms_needed, request.user, obj, opts, 1)