#660 closed defect (fixed)
admin executes template code that happens to be in strings in the list views
| Reported by: | hugo | Owned by: | Adrian Holovaty |
|---|---|---|---|
| Component: | contrib.admin | Version: | |
| Severity: | normal | Keywords: | new-admin |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
When you have a field that stores template snippets and add that field to the list_display tuple to show up in admin list views, the template code in those snippets is evaluated. I suppose this is because of the dynamic creation of the admin template code.
Change History (3)
comment:1 by , 19 years ago
comment:2 by , 19 years ago
| Keywords: | new-admin added |
|---|
Note:
See TracTickets
for help on using tickets.
Would this maybe fixed with the new_admin branch? Otherwise it definitely needs a solution, as it would allow users to break the admin templates by including broken template code in string fields. And if the shown strings are editable from the outside (maybe within the commenting system), even outside users could break the admin.