[Django] #34283: Missing parameter escaping in admin filters.js
Django
-----------------------------------------+------------------------
Reporter: ef-end-y | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 4.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
I am using ukrainian language in django admin. This language has an
apostrophe that users often write as '.
My code:
{{{
class HasMasterFilter(admin.SimpleListFilter):
title = "Пов'язаний?"
}}}
leads to error in /django/contrib/admin/static/admin/js/filters.js at the
line:
{{{
const detailElement = document.querySelector(`[data-filter-
title='${key}']`);
}}}
it's needed to escape the value in key
--
Ticket URL: <https://code.djangoproject.com/ticket/34283>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: ef-end-y | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 4.1
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by ef-end-y):
* cc: ef-end-y (added)
* has_patch: 0 => 1
Comment:
Patch:
{{{
14c14
< const detailElement = document.querySelector(`[data-filter-
title='${key}']`);
---
> const detailElement = document.querySelector(`[data-filter-
title='${CSS.escape(key)}']`);
30a31
>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/34283#comment:1>
Django
Reporter: Stanislav | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* cc: Marcelo Galigniana (added)
* has_patch: 1 => 0
* version: 4.1 => 4.2
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted
Comment:
Thanks for the report and testing against the alpha release!
Regression in 27aa7035f57f0db30b6632e4274e18b430906799.
--
Ticket URL: <https://code.djangoproject.com/ticket/34283#comment:2>
Django
Reporter: Stanislav | Owner: Stanislav
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Stanislav):
* owner: nobody => Stanislav
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/34283#comment:3>
Django
---------------------------------+-------------------------------------
Reporter: Stanislav | Owner: Stanislav
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+-------------------------------------
Comment (by Mariusz Felisiak):
Stanislav, Can you send PR via GitHub? (a regression test is required.)
--
Ticket URL: <https://code.djangoproject.com/ticket/34283#comment:4>
Django
---------------------------------+-------------------------------------
Reporter: Stanislav | Owner: Stanislav
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+-------------------------------------
Comment (by Stanislav):
Replying to [comment:4 Mariusz Felisiak]:
> Stanislav, Can you send PR via GitHub? (a regression test is required.)
I hope i did it
--
Ticket URL: <https://code.djangoproject.com/ticket/34283#comment:5>
Django
---------------------------------+-------------------------------------
Reporter: Stanislav | Owner: Stanislav
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+-------------------------------------
Comment (by Marcelo Galigniana):
Replying to [comment:5 Stanislav]:
> Replying to [comment:4 Mariusz Felisiak]:
> > Stanislav, Can you send PR via GitHub? (a regression test is
required.)
> I hope i did it
Hi Stanislav! I just saw your PR but it doesn’t have a new test. Marius
means add a test like this:
https://github.com/django/django/commit/27aa7035f57f0db30b6632e4274e18b430906799
#diff-640602cc17dc3e9a26db47f58b40a1289d5c0f1b5b0fe547810b1d962f6cde8b.
You could use it as a reference and add the escape case! Don’t forget
update the issue status here too!
Let me know if you need help with something!
--
Ticket URL: <https://code.djangoproject.com/ticket/34283#comment:6>
Django
---------------------------------+-------------------------------------
Reporter: Stanislav | Owner: Stanislav
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 1 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+-------------------------------------
* has_patch: 0 => 1
* needs_tests: 0 => 1
Comment:
[https://github.com/django/django/pull/16499 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/34283#comment:7>
Django
---------------------------------+-------------------------------------
Reporter: Stanislav | Owner: Stanislav
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+-------------------------------------
Comment (by Stanislav):
Replying to [comment:6 Marcelo Galigniana]:
> Replying to [comment:5 Stanislav]:
> > Replying to [comment:4 Mariusz Felisiak]:
> > > Stanislav, Can you send PR via GitHub? (a regression test is
required.)
> > I hope i did it
>
> Hi Stanislav! I just saw your PR but it doesn’t have a new test. Marius
means add a test like this:
https://github.com/django/django/commit/27aa7035f57f0db30b6632e4274e18b430906799
#diff-640602cc17dc3e9a26db47f58b40a1289d5c0f1b5b0fe547810b1d962f6cde8b.
You could use it as a reference and add the escape case! Don’t forget
update the issue status here too!
>
> Let me know if you need help with something!
https://github.com/django/django/pull/16499
the error is related to js, so I process the browser logs in selenium
--
Ticket URL: <https://code.djangoproject.com/ticket/34283#comment:8>
Django
Reporter: Stanislav | Owner: Stanislav
Type: Bug | Status: assigned
Component: contrib.admin | Version: 4.2
Severity: Release blocker | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* needs_tests: 1 => 0
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/34283#comment:9>
Django
-------------------------------------+-------------------------------------
Reporter: Stanislav | Owner: Stanislav
Component: contrib.admin | Version: 4.2
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"20a0850099340fb4cb8df0e4441e5019b2cbd1ea" 20a0850]:
{{{
#!CommitTicketReference repository=""
revision="20a0850099340fb4cb8df0e4441e5019b2cbd1ea"
Fixed #34283 -- Escaped title in admin's changelist filters.
Regression in 27aa7035f57f0db30b6632e4274e18b430906799.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/34283#comment:11>
Django
-------------------------------------+-------------------------------------
Reporter: Stanislav | Owner: Stanislav
Type: Bug | Status: closed
Component: contrib.admin | Version: 4.2
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"7217c11eba6175023fff859cd7b3dd6c94690a0d" 7217c11e]:
{{{
#!CommitTicketReference repository=""
revision="7217c11eba6175023fff859cd7b3dd6c94690a0d"
[4.2.x] Fixed #34283 -- Escaped title in admin's changelist filters.
Regression in 27aa7035f57f0db30b6632e4274e18b430906799.
Backport of 20a0850099340fb4cb8df0e4441e5019b2cbd1ea from main
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/34283#comment:10>