The docs on `allow_tags` mention:
If the string given is a method of the model, ModelAdmin or a callable,
Django will HTML-escape the output by default. If you’d rather not escape
the output of the method, give the method an `allow_tags` attribute whose
value is `True`. However, to avoid an XSS vulnerability, you should use
`format_html()` to escape user-provided inputs.
To push people to actually do that, deprecating `allow_tags` and pointing
to `format_html`/`mark_safe` could be a good thing.
--
Ticket URL: <https://code.djangoproject.com/ticket/25135>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* needs_better_patch: => 0
* needs_docs: => 0
* needs_tests: => 0
* stage: Unreviewed => Accepted
Comment:
Looking at the code, I think it could be a bit tricky, but the idea sounds
good.
--
Ticket URL: <https://code.djangoproject.com/ticket/25135#comment:1>
* owner: nobody => jaap3
* status: new => assigned
Comment:
Created a pull request with my initial attempt. Django tests all pass, but
it might just be that `allow_tags` is not tested that well.
Having a hard time figuring out where to add tests though...
--
Ticket URL: <https://code.djangoproject.com/ticket/25135#comment:2>
* owner: jaap3 => olasitarska
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/25135#comment:3>
* needs_tests: 0 => 1
Comment:
Waiting on one more test as noted on the pull request.
--
Ticket URL: <https://code.djangoproject.com/ticket/25135#comment:4>
* needs_tests: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/25135#comment:5>
* stage: Accepted => Ready for checkin
Comment:
Pending some cosmetic tweaks.
--
Ticket URL: <https://code.djangoproject.com/ticket/25135#comment:6>
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"f2f8972def26cea2b0e8dbe763e11436d194e3d4" f2f8972]:
{{{
#!CommitTicketReference repository=""
revision="f2f8972def26cea2b0e8dbe763e11436d194e3d4"
Fixed #25135 -- Deprecated the contrib.admin allow_tags attribute.
Thanks Jaap Roes for the idea and initial patch.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25135#comment:7>
Comment (by jaap3):
Thank you olasitarska for fixing this up!
--
Ticket URL: <https://code.djangoproject.com/ticket/25135#comment:8>
Comment (by Tim Graham <timograham@…>):
In [changeset:"00adec6d5f266469bc62e7351d8e6b641872b47a" 00adec6]:
{{{
#!CommitTicketReference repository=""
revision="00adec6d5f266469bc62e7351d8e6b641872b47a"
Refs #25135 -- Corrected the timeline section of allow_tags deprecation.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25135#comment:9>
Comment (by Tim Graham <timograham@…>):
In [changeset:"d67a46e10459858b681176a3e1f8c6bca39d2ac7" d67a46e1]:
{{{
#!CommitTicketReference repository=""
revision="d67a46e10459858b681176a3e1f8c6bca39d2ac7"
Refs #25135 -- Removed support for the contrib.admin allow_tags attribute.
Per deprecation timeline.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25135#comment:10>