Ticket #5880: 5880.diff

File 5880.diff, 2.5 KB (added by Gary Wilson, 17 years ago)
  • django/contrib/admin/media/js/admin/RelatedObjectLookups.js

    === modified file 'django/contrib/admin/media/js/admin/RelatedObjectLookups.js'
     
    11// Handles related-objects functionality: lookup link for raw_id_admin=True
    22// and Add Another links.
    33
     4function html_unescape(text) {
     5    // Unescape a string that was escaped using django.utils.html.escape.
     6    text = text.replace(/&lt;/g, '<');
     7    text = text.replace(/&gt;/g, '>');
     8    text = text.replace(/&amp;/g, '&');
     9    text = text.replace(/&quot;/g, '"');
     10    text = text.replace(/&#39;/g, "'");
     11    return text;
     12}
     13
    414function showRelatedObjectLookupPopup(triggeringLink) {
    515    var name = triggeringLink.id.replace(/^lookup_/, '');
    616    // IE doesn't like periods in the window name, so convert temporarily.
     
    4252}
    4353
    4454function dismissAddAnotherPopup(win, newId, newRepr) {
     55    // newId and newRepr are expected to have previously been escaped by
     56    // django.utils.html.escape.
     57    newId = html_unescape(newId);
     58    newRepr = html_unescape(newRepr);
    4559    var name = win.name.replace(/___/g, '.');
    4660    var elem = document.getElementById(name);
    4761    if (elem) {
  • django/contrib/admin/views/main.py

    === modified file 'django/contrib/admin/views/main.py'
     
    270270                    post_url_continue += "?_popup=1"
    271271                return HttpResponseRedirect(post_url_continue % pk_value)
    272272            if "_popup" in request.POST:
    273                 if type(pk_value) is str: # Quote if string, so JavaScript doesn't think it's a variable.
    274                     pk_value = '"%s"' % pk_value.replace('"', '\\"')
    275                 return HttpResponse('<script type="text/javascript">opener.dismissAddAnotherPopup(window, %s, "%s");</script>' % \
    276                     (pk_value, force_unicode(new_object).replace('"', '\\"')))
     273                return HttpResponse('<script type="text/javascript">opener.dismissAddAnotherPopup(window, "%s", "%s");</script>' % \
     274                    # escape() calls force_unicode.
     275                    (escape(pk_value), escape(new_object)))
     276                print text
     277               
    277278            elif "_addanother" in request.POST:
    278279                request.user.message_set.create(message=msg + ' ' + (_("You may add another %s below.") % force_unicode(opts.verbose_name)))
    279280                return HttpResponseRedirect(request.path)
Back to Top