This is supposedly used when trying to display to object as html : if the
object provides an __html__ representation, this is used instead of an
html-escaped version of __str__. This is implemented in
`django.utils.html.conditional_escape`, used in turn by `format_html` (and
similar).
This feature is really nice. It allows for instance to add colors or icons
to the instances representation very consistently., which in some cases
can really help in terms of UX (e.g. color for instance's state).
Unfortunately, this is is only very partially supported in Django admin,
where most of the time, the __str__ representation is used instead.
Currently, the only place where I could see the __html__ used is in the
confirmation message after changing an object ("The object “XYZ” was
changed successfully.).
The __html__ method is not used in :
- the default representation of the changelist (when list_display is not
set)
- the breadcrumbs
- the filters of the changelist
- the select with autocomplete (despite select2 supporting html)
- etc...
I suggest changing this wherever possible in Django admin. It shouldn't be
too big of a change. It's probably mostly replacing str(obj) by
conditional_escape(obj) wherever HTML is admissible.
Long live Django & Django admin :-)
--
Ticket URL: <https://code.djangoproject.com/ticket/31427>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* type: Uncategorized => New feature
--
Ticket URL: <https://code.djangoproject.com/ticket/31427#comment:1>
* Attachment "example_html_djanngo.PNG" added.
example 1
* Attachment "example_html_djanngo_2.PNG" added.
example 2
* owner: nobody => andyrobles
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/31427#comment:2>
* status: assigned => closed
* resolution: => needsinfo
Old description:
New description:
Django supports custom html representation for objects using the __html__
method (see #7261)
--
Comment:
Grrr.
> Django supports custom html representation for objects using the html
method
I don't think that's the intended use-case.
Rather:
> This shouldn't be thought of as *replacement* for autoescaping, since
that's not required, but as something that uses it for interoperability.
> - https://code.djangoproject.com/ticket/7261#comment:3
i.e. it was introduced so the DTL could understand that strings from other
template engines were pre-escaped.
The `__html__()` method is hardly documented — it's mentioned only in
passing for `html_safe`.
I'm not 100% adverse to the idea here—I can see the appeal— vs what?
implementing str() to mark safe, or a proxy class doing the same for use
in the admin...? Overriding the templates?, and so on... — but (A)
security — do folks really emit safe HTML? — and then (B) it's a change in
the intended use, so ... 😬
I'll initially say `needsinfo` rather than `wontfix` here.
* What does it really involve? Documenting `__html__()` and promoting to a
recommended approach.
* A PoC concept PR: What do the changes look like? (In draft)
* Then, is the any support for such a change on the DevelopersMailingList?
(vs the alternatives)
I hope that makes sense.
--
Ticket URL: <https://code.djangoproject.com/ticket/31427#comment:3>