Fixed #24466 -- Added JavaScript escaping in a couple places in the admin.

Thanks Aymeric Augustin and Florian Apolloner for work on the patch.
2025-08-04 19:08:28 +00:00 · 2015-03-06 12:45:53 -05:00 · 2015-03-06 12:45:53 -05:00 · 845817b039
commit 845817b039
parent b86abbceb9
9 changed files with 77 additions and 26 deletions
--- a/tests/admin_inlines/test_templates.py
+++ b/tests/admin_inlines/test_templates.py
@ -0,0 +1,21 @@
+from __future__ import unicode_literals
+
+from django.template.loader import render_to_string
+from django.test import SimpleTestCase
+
+
+class TestTemplates(SimpleTestCase):
+    def test_javascript_escaping(self):
+        context = {
+            'inline_admin_formset': {
+                'formset': {'prefix': 'my-prefix'},
+                'opts': {'verbose_name': 'verbose name\\'},
+            },
+        }
+        output = render_to_string('admin/edit_inline/stacked.html', context)
+        self.assertIn('prefix: "my\\u002Dprefix",', output)
+        self.assertIn('addText: "Add another Verbose name\\u005C"', output)
+
+        output = render_to_string('admin/edit_inline/tabular.html', context)
+        self.assertIn('prefix: "my\\u002Dprefix",', output)
+        self.assertIn('addText: "Add another Verbose name\\u005C"', output)
--- a/tests/admin_inlines/tests.py
+++ b/tests/admin_inlines/tests.py
@ -78,7 +78,7 @@ class TestInline(TestDataMixin, TestCase):
        # The heading for the m2m inline block uses the right text
        self.assertContains(response, '<h2>Author-book relationships</h2>')
        # The "add another" label is correct
-        self.assertContains(response, 'Add another Author-book relationship')
+        self.assertContains(response, 'Add another Author\\u002Dbook relationship')
        # The '+' is dropped from the autogenerated form prefix (Author_books+)
        self.assertContains(response, 'id="id_Author_books-TOTAL_FORMS"')

@ -524,7 +524,7 @@ class TestInlinePermissions(TestCase):
        response = self.client.get(reverse('admin:admin_inlines_author_add'))
        # No change permission on books, so no inline
        self.assertNotContains(response, '<h2>Author-book relationships</h2>')
-        self.assertNotContains(response, 'Add another Author-Book Relationship')
+        self.assertNotContains(response, 'Add another Author\\u002DBook Relationship')
        self.assertNotContains(response, 'id="id_Author_books-TOTAL_FORMS"')

    def test_inline_add_fk_noperm(self):
@ -538,7 +538,7 @@ class TestInlinePermissions(TestCase):
        response = self.client.get(self.author_change_url)
        # No change permission on books, so no inline
        self.assertNotContains(response, '<h2>Author-book relationships</h2>')
-        self.assertNotContains(response, 'Add another Author-Book Relationship')
+        self.assertNotContains(response, 'Add another Author\\u002DBook Relationship')
        self.assertNotContains(response, 'id="id_Author_books-TOTAL_FORMS"')

    def test_inline_change_fk_noperm(self):
@ -554,7 +554,7 @@ class TestInlinePermissions(TestCase):
        response = self.client.get(reverse('admin:admin_inlines_author_add'))
        # No change permission on Books, so no inline
        self.assertNotContains(response, '<h2>Author-book relationships</h2>')
-        self.assertNotContains(response, 'Add another Author-Book Relationship')
+        self.assertNotContains(response, 'Add another Author\\u002DBook Relationship')
        self.assertNotContains(response, 'id="id_Author_books-TOTAL_FORMS"')

    def test_inline_add_fk_add_perm(self):
@ -573,7 +573,7 @@ class TestInlinePermissions(TestCase):
        response = self.client.get(self.author_change_url)
        # No change permission on books, so no inline
        self.assertNotContains(response, '<h2>Author-book relationships</h2>')
-        self.assertNotContains(response, 'Add another Author-Book Relationship')
+        self.assertNotContains(response, 'Add another Author\\u002DBook Relationship')
        self.assertNotContains(response, 'id="id_Author_books-TOTAL_FORMS"')
        self.assertNotContains(response, 'id="id_Author_books-0-DELETE"')

@ -583,7 +583,7 @@ class TestInlinePermissions(TestCase):
        response = self.client.get(self.author_change_url)
        # We have change perm on books, so we can add/change/delete inlines
        self.assertContains(response, '<h2>Author-book relationships</h2>')
-        self.assertContains(response, 'Add another Author-book relationship')
+        self.assertContains(response, 'Add another Author\\u002Dbook relationship')
        self.assertContains(response, '<input type="hidden" id="id_Author_books-TOTAL_FORMS" '
                            'value="4" name="Author_books-TOTAL_FORMS" />', html=True)
        self.assertContains(response, '<input type="hidden" id="id_Author_books-0-id" '