[Django] #25165: Move JavaScript calls out of HTML to fix JavaScript "no-script-eval" warnings
Django
warnings
------------------------------------------------+------------------------
Reporter: timgraham | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.admin | Version: master
Severity: Normal | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
[https://docs.djangoproject.com/en/dev/internals/contributing/writing-
code/javascript/#running-tests Run the JavaScript tests] and you'll see
some warnings about "Script URL is a form of eval". These should be
replaced with click handlers (href="#" and then use id or class attributes
to select the element in the JavaScript and register a click handler
there, with "return false" to stop event propagation).
--
Ticket URL: <https://code.djangoproject.com/ticket/25165>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
warnings
Reporter: timgraham | Owner: zedr
Type: Cleanup/optimization | Status: assigned
Component: contrib.admin | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by zedr):
* owner: nobody => zedr
* status: new => assigned
Comment:
Will take a look.
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:1>
Django
warnings
Reporter: timgraham | Owner:
Type: Cleanup/optimization | Status: new
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* status: assigned => new
* owner: zedr =>
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/5567 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:2>
Django
warnings
Reporter: timgraham | Owner: Tim
Type: | Graham <timograham@…>
Cleanup/optimization | Status: closed
Component: contrib.admin | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: new => closed
* owner: => Tim Graham <timograham@…>
* resolution: => fixed
Comment:
In [changeset:"d638cdc42acec608c1967f44af6be32a477c239f" d638cdc]:
{{{
#!CommitTicketReference repository=""
revision="d638cdc42acec608c1967f44af6be32a477c239f"
Fixed #25165 -- Removed inline JavaScript from the admin.
This allows setting a Content-Security-Policy HTTP header
(refs #15727).
Special thanks to blighj, the original author of this patch.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:3>
Django
warnings
Reporter: timgraham | Owner: Tim
Type: | Graham <timograham@…>
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* status: closed => new
* has_patch: 1 => 0
* resolution: fixed =>
* severity: Normal => Release blocker
Comment:
Hi Thomas, I noticed a regression due to this change. Go to the admin
change form of an object with a foreign key and use the "Add another"
button on the foreign key field. After creating a new object using the
popup, the popup doesn't close and the JavaScript console displays
`TypeError: text.replace is not a function`. Are you able to investigate?
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:4>
Django
warnings
Reporter: timgraham | Owner: Tim
Type: | Graham <timograham@…>
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by timgraham):
The selenium test added in f18b08748abaecb171fdcbcdfdcd7e4d95d931d1 can
likely be extended for this fix.
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:5>
Django
warnings
Reporter: timgraham | Owner: Tim
Type: | Graham <timograham@…>
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by timgraham):
Another regression: when using the "Add another" button on a foreign key
to a `UUIDField` in the admin, the
[https://github.com/django/django/blob/35c41987ecfaad849019d09468ce322fec86cd39/django/contrib/admin/options.py#L1086-L1090
JSON serialization] will fail with `TypeError: UUID('f9cd8eb4-7c00-407b-
bc35-17a8a8d0b9f0') is not JSON serializable`.
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:6>
Django
warnings
Reporter: timgraham | Owner: Tim
Type: | Graham <timograham@…>
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by timgraham):
[https://github.com/django/django/pull/5921 PR] for the second regression
(waiting to corporate the tests from a patch for the `stable/1.9.x` branch
as noted there).
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:7>
Django
warnings
Reporter: timgraham | Owner: Tim
Type: | Graham <timograham@…>
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/5948 PR] for the issue in comment
4.
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:8>
Django
warnings
Reporter: timgraham | Owner: Tim
Type: | Graham <timograham@…>
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"822a03b3e41c7c26b7b623c782fbcf9e6eea863f" 822a03b3]:
{{{
#!CommitTicketReference repository=""
revision="822a03b3e41c7c26b7b623c782fbcf9e6eea863f"
Refs #25165 -- Fixed failure of admin's "Add another" popup to close.
Thanks Thomas Grainger for the fix.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:9>
Django
warnings
Reporter: timgraham | Owner: Tim
Type: | Graham <timograham@…>
Component: contrib.admin | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"ade54ffa34ddc6c19b26c6ea72b46f73af7b682b" ade54ff]:
{{{
#!CommitTicketReference repository=""
revision="ade54ffa34ddc6c19b26c6ea72b46f73af7b682b"
Refs #25165 -- Fixed JSON serialization for add/edit popup in the admin.
Forwardport of test in o839d71d8562abe0b245024e55ca1d02a45e58fd from
stable/1.9.x
(refs #25997).
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:10>
Django
warnings
Reporter: timgraham | Owner: Tim
Type: | Graham <timograham@…>
Component: contrib.admin | Version: master
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* status: new => closed
* resolution: => fixed
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:11>
Django
warnings
Reporter: timgraham | Owner: Tim
Type: | Graham <timograham@…>
Cleanup/optimization | Status: closed
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"cbaa3ee3ee45d453ab6aa36d57847515dd130b9f" cbaa3ee]:
{{{
#!CommitTicketReference repository=""
revision="cbaa3ee3ee45d453ab6aa36d57847515dd130b9f"
Refs #25165 -- Removed unnecessary HTML unescaping in admin add/edit
popups.
Because we now load data into the page via JSON, we don't need to
unescape it anymore.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:12>
Django
warnings
Reporter: timgraham | Owner: Tim
Type: | Graham <timograham@…>
Cleanup/optimization | Status: closed
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by timgraham):
And to fix serialization for the delete popup:
[https://github.com/django/django/pull/5955 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:13>
Django
warnings
Reporter: timgraham | Owner: Tim
Type: | Graham <timograham@…>
Cleanup/optimization | Status: closed
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"3541ca1504d75b6b4fc8b8db0e7d62e990433f12" 3541ca15]:
{{{
#!CommitTicketReference repository=""
revision="3541ca1504d75b6b4fc8b8db0e7d62e990433f12"
Refs #25165 -- Fixed JSON serialization for delete popup in the admin.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25165#comment:14>