[Django] #24461: Admin readonly_fields pointing to properties (@property) do not get escaped.
Django
escaped.
-------------------------------+--------------------
Reporter: eranrund | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 1.7
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
Hey,
My model has a @property, and I am using readonly_fields to display it.
allow_tags is nowhere to be seen, and I believe the culprit is the
following code (env/lib/python2.7/site-
packages/django/contrib/admin/helpers.py):
{{{
result_repr = smart_text(value)
if getattr(attr, "allow_tags", False):
result_repr = mark_safe(result_repr)
else:
result_repr = linebreaksbr(result_repr)
}}}
This is used by AdminReadonlyField to render the field. Unfortunately,
linebreaksbr replies on the template system autoescape mechanism, which
isn't kicking in when calling the filter directly:
{{{
In [2]: linebreaksbr('<a>test</a>')
Out[2]: u'<a>test</a>'
In [3]: type(_)
Out[3]: django.utils.safestring.SafeText
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/24461>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
escaped.
Reporter: eranrund | Owner: bmispelon
Type: Bug | Status: assigned
Component: contrib.admin | Version: 1.7
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by bmispelon):
* status: new => assigned
* needs_better_patch: => 0
* needs_tests: => 0
* owner: nobody => bmispelon
* needs_docs: => 0
* stage: Unreviewed => Accepted
Comment:
Hi,
I can indeed reproduce the issue, thanks for bringing it up.
--
Ticket URL: <https://code.djangoproject.com/ticket/24461#comment:1>
Django
escaped.
Reporter: eranrund | Owner: bmispelon
Component: contrib.admin | Version: 1.7
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"2654e1b93923bac55f12b4e66c5e39b16695ace5"]:
{{{
#!CommitTicketReference repository=""
revision="2654e1b93923bac55f12b4e66c5e39b16695ace5"
[1.7.x] Fixed #24461 -- Fixed XSS issue in ModelAdmin.readonly_fields
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/24461#comment:2>
Django
escaped.
Reporter: eranrund | Owner: bmispelon
Type: Bug | Status: closed
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"35d68e8e766217924375e1a91533fee50159291c"]:
{{{
#!CommitTicketReference repository=""
revision="35d68e8e766217924375e1a91533fee50159291c"
[1.8.x] Refs #24461 -- Added test/release notes for XSS issue in
ModelAdmin.readonly_fields
This issue was fixed by refs #24464.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/24461#comment:3>
Django
escaped.
Reporter: eranrund | Owner: bmispelon
Type: Bug | Status: closed
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"82c9169077a066995e3b00aac551bf1c8a89d98a"]:
{{{
#!CommitTicketReference repository=""
revision="82c9169077a066995e3b00aac551bf1c8a89d98a"
Refs #24461 -- Added test/release notes for XSS issue in
ModelAdmin.readonly_fields
This issue was fixed by refs #24464.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/24461#comment:4>