From bc886fa01dd2873ffa6fc7fd35b2aea7eb5362ea Mon Sep 17 00:00:00 2001 From: Jethro Muller Date: Thu, 1 Mar 2018 18:24:00 +0200 Subject: [PATCH] Mark LogEntryAdminMixin methods output as safe where required (#167) * Mark LogEntryAdminMixin method output as safe where required Use format_html to provide conditional escaping and mark_safe functionality * Unwrap function call to prevent py27 and py34 errors --- src/auditlog/mixins.py | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/src/auditlog/mixins.py b/src/auditlog/mixins.py index 7a66867..5a0b829 100644 --- a/src/auditlog/mixins.py +++ b/src/auditlog/mixins.py @@ -9,6 +9,7 @@ try: from django.urls.exceptions import NoReverseMatch except ImportError: from django.core.urlresolvers import NoReverseMatch +from django.utils.html import format_html from django.utils.safestring import mark_safe MAX = 75 @@ -28,10 +29,9 @@ class LogEntryAdminMixin(object): link = urlresolvers.reverse(viewname, args=[obj.actor.id]) except NoReverseMatch: return u'%s' % (obj.actor) - return u'%s' % (link, obj.actor) + return format_html(u'{}', link, obj.actor) return 'system' - user_url.allow_tags = True user_url.short_description = 'User' def resource_url(self, obj): @@ -43,8 +43,7 @@ class LogEntryAdminMixin(object): except NoReverseMatch: return obj.object_repr else: - return u'%s' % (link, obj.object_repr) - resource_url.allow_tags = True + return format_html(u'{}', link, obj.object_repr) resource_url.short_description = 'Resource' def msg_short(self, obj): @@ -66,9 +65,8 @@ class LogEntryAdminMixin(object): msg = '' for i, field in enumerate(sorted(changes), 1): value = [i, field] + (['***', '***'] if field == 'password' else changes[field]) - msg += '' % tuple(value) + msg += format_html('', *value) + msg += '
#FieldFromTo
%s%s%s%s
{}{}{}{}
' - msg = mark_safe(msg) - return msg - msg.allow_tags = True + return mark_safe(msg) msg.short_description = 'Changes'