[1.7.x] Fixed #24461 -- Fixed XSS issue in ModelAdmin.readonly_fields

2025-10-31 09:41:08 +00:00 · 2015-03-08 11:50:32 +01:00
parent 5a3b531121
commit 2654e1b939
5 changed files with 34 additions and 4 deletions
--- a/django/contrib/admin/helpers.py
+++ b/django/contrib/admin/helpers.py
@@ -193,7 +193,7 @@ class AdminReadonlyField(object):
                    if getattr(attr, "allow_tags", False):
                        result_repr = mark_safe(result_repr)
                    else:
-                        result_repr = linebreaksbr(result_repr)
+                        result_repr = linebreaksbr(result_repr, autoescape=True)
            else:
                if isinstance(f.rel, ManyToManyRel) and value is not None:
                    result_repr = ", ".join(map(six.text_type, value.all()))