From f2f8972def26cea2b0e8dbe763e11436d194e3d4 Mon Sep 17 00:00:00 2001 From: Ola Sitarska Date: Tue, 8 Sep 2015 20:46:26 +0100 Subject: Fixed #25135 -- Deprecated the contrib.admin allow_tags attribute. Thanks Jaap Roes for the idea and initial patch. --- docs/ref/contrib/admin/index.txt | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) (limited to 'docs/ref') diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt index 236841dc69..db977b74bd 100644 --- a/docs/ref/contrib/admin/index.txt +++ b/docs/ref/contrib/admin/index.txt @@ -583,11 +583,9 @@ subclass:: ``False``. * If the string given is a method of the model, ``ModelAdmin`` or a - callable, Django will HTML-escape the output by default. If you'd - rather not escape the output of the method, give the method an - ``allow_tags`` attribute whose value is ``True``. However, to avoid an - XSS vulnerability, you should use :func:`~django.utils.html.format_html` - to escape user-provided inputs. + callable, Django will HTML-escape the output by default. To escape + user input and allow your own unescaped tags, use + :func:`~django.utils.html.format_html`. Here's a full example model:: @@ -606,11 +604,17 @@ subclass:: self.first_name, self.last_name) - colored_name.allow_tags = True - class PersonAdmin(admin.ModelAdmin): list_display = ('first_name', 'last_name', 'colored_name') + .. deprecated:: 1.9 + + In older versions, you could add an ``allow_tags`` attribute to the + method to prevent auto-escaping. This attribute is deprecated as it's + safer to use :func:`~django.utils.html.format_html`, + :func:`~django.utils.html.format_html_join`, or + :func:`~django.utils.safestring.mark_safe` instead. + * If the value of a field is ``None``, an empty string, or an iterable without elements, Django will display ``-`` (a dash). You can override this with :attr:`AdminSite.empty_value_display`:: @@ -688,7 +692,6 @@ subclass:: self.color_code, self.first_name) - colored_first_name.allow_tags = True colored_first_name.admin_order_field = 'first_name' class PersonAdmin(admin.ModelAdmin): @@ -1095,12 +1098,10 @@ subclass:: mark_safe('
'), '{}', ((line,) for line in instance.get_full_address()), - ) or "I can't determine this address." + ) or mark_safe("I can't determine this address.") # short_description functions like a model field's verbose_name address_report.short_description = "Address" - # in this example, we have used HTML tags in the output - address_report.allow_tags = True .. attribute:: ModelAdmin.save_as -- cgit v1.3