Opened 5 years ago
Closed 5 years ago
#31427 closed New feature (needsinfo)
Better support for __html__ in django admin
Reported by: | Olivier Dalang | Owned by: | Andy Robles |
---|---|---|---|
Component: | contrib.admin | Version: | 3.0 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | yes |
Description (last modified by )
Django supports custom html representation for objects using the html method (see #7261)
This is supposedly used when trying to display to object as html : if the object provides an html representation, this is used instead of an html-escaped version of str. This is implemented in django.utils.html.conditional_escape
, used in turn by format_html
(and similar).
This feature is really nice. It allows for instance to add colors or icons to the instances representation very consistently., which in some cases can really help in terms of UX (e.g. color for instance's state).
Unfortunately, this is is only very partially supported in Django admin, where most of the time, the str representation is used instead.
Currently, the only place where I could see the html used is in the confirmation message after changing an object ("The object “XYZ” was changed successfully.).
The html method is not used in :
- the default representation of the changelist (when list_display is not set)
- the breadcrumbs
- the filters of the changelist
- the select with autocomplete (despite select2 supporting html)
- etc...
I suggest changing this wherever possible in Django admin. It shouldn't be too big of a change. It's probably mostly replacing str(obj) by conditional_escape(obj) wherever HTML is admissible.
Long live Django & Django admin :-)
Attachments (2)
Change History (5)
comment:1 by , 5 years ago
Type: | Uncategorized → New feature |
---|
by , 5 years ago
Attachment: | example_html_djanngo.PNG added |
---|
comment:2 by , 5 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 5 years ago
Description: | modified (diff) |
---|---|
Resolution: | → needsinfo |
Status: | assigned → closed |
Grrr.
Django supports custom html representation for objects using the html method
I don't think that's the intended use-case.
Rather:
This shouldn't be thought of as *replacement* for autoescaping, since that's not required, but as something that uses it for interoperability.
i.e. it was introduced so the DTL could understand that strings from other template engines were pre-escaped.
The __html__()
method is hardly documented — it's mentioned only in passing for html_safe
.
I'm not 100% adverse to the idea here—I can see the appeal— vs what? implementing str() to mark safe, or a proxy class doing the same for use in the admin...? Overriding the templates?, and so on... — but (A) security — do folks really emit safe HTML? — and then (B) it's a change in the intended use, so ... 😬
I'll initially say needsinfo
rather than wontfix
here.
- What does it really involve? Documenting
__html__()
and promoting to a recommended approach. - A PoC concept PR: What do the changes look like? (In draft)
- Then, is the any support for such a change on the DevelopersMailingList? (vs the alternatives)
I hope that makes sense.
example 1