Skip to content

Commit 502f61f

Browse files
committed
Use format_html and mark_safe instead of the allow_tags attribute for admin links
1 parent 61b699f commit 502f61f

1 file changed

Lines changed: 39 additions & 24 deletions

File tree

src/sa_api_v2/admin.py

Lines changed: 39 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,8 @@
1717
from django.urls import reverse
1818
from django.forms import ValidationError, ModelForm
1919
from django.http import HttpResponseRedirect
20-
from django.utils.html import escape
20+
from django.utils.html import escape, format_html
21+
from django.utils.safestring import mark_safe
2122
from django_ace import AceWidget
2223
from django_object_actions import DjangoObjectActions
2324
from . import models
@@ -140,19 +141,25 @@ class InlineApiKeyAdmin(admin.StackedInline):
140141

141142
def permissions_list(self, instance):
142143
if instance.pk:
143-
return '<ul>%s</ul>' % ''.join(['<li>%s</li>' % (escape(permission),) for permission in instance.permissions.all()])
144+
return format_html(
145+
'<ul>{}</ul>',
146+
mark_safe(''.join([
147+
format_html('<li>{}</li>', escape(permission))
148+
for permission in instance.permissions.all()
149+
]))
150+
)
144151
else:
145152
return ''
146153

147154
def edit_url(self, instance):
148155
if instance.pk is None:
149156
return '(You must save your dataset before you can edit the permissions on your API key.)'
150157
else:
151-
return (
152-
'<a href="%s"><strong>Edit permissions</strong></a>' % (reverse('admin:sa_api_v2_apikey_change', args=[instance.pk]))
153-
+ self.permissions_list(instance)
158+
return format_html(
159+
'<a href="{}"><strong>Edit permissions</strong></a>{}',
160+
reverse('admin:sa_api_v2_apikey_change', args=[instance.pk]),
161+
self.permissions_list(instance)
154162
)
155-
edit_url.allow_tags = True
156163

157164

158165
class InlineOriginAdmin(admin.StackedInline):
@@ -164,19 +171,25 @@ class InlineOriginAdmin(admin.StackedInline):
164171

165172
def permissions_list(self, instance):
166173
if instance.pk:
167-
return '<ul>%s</ul>' % ''.join(['<li>%s</li>' % (escape(permission),) for permission in instance.permissions.all()])
174+
return format_html(
175+
'<ul>{}</ul>',
176+
mark_safe(''.join([
177+
format_html('<li>{}</li>', escape(permission))
178+
for permission in instance.permissions.all()
179+
]))
180+
)
168181
else:
169182
return ''
170183

171184
def edit_url(self, instance):
172185
if instance.pk is None:
173186
return '(You must save your dataset before you can edit the permissions on your origin.)'
174187
else:
175-
return (
176-
'<a href="%s"><strong>Edit permissions</strong></a>' % (reverse('admin:sa_api_v2_origin_change', args=[instance.pk]))
177-
+ self.permissions_list(instance)
188+
return format_html(
189+
'<a href="{}"><strong>Edit permissions</strong></a>{}',
190+
reverse('admin:sa_api_v2_origin_change', args=[instance.pk]),
191+
self.permissions_list(instance)
178192
)
179-
edit_url.allow_tags = True
180193

181194

182195
class InlineGroupAdmin(admin.StackedInline):
@@ -187,19 +200,25 @@ class InlineGroupAdmin(admin.StackedInline):
187200

188201
def permissions_list(self, instance):
189202
if instance.pk:
190-
return '<ul>%s</ul>' % ''.join(['<li>%s</li>' % (escape(permission),) for permission in instance.permissions.all()])
203+
return format_html(
204+
'<ul>{}</ul>',
205+
mark_safe(''.join([
206+
format_html('<li>{}</li>', escape(permission))
207+
for permission in instance.permissions.all()
208+
]))
209+
)
191210
else:
192211
return ''
193212

194213
def edit_url(self, instance):
195214
if instance.pk is None:
196215
return '(You must save your dataset before you can edit the permissions on your API key.)'
197216
else:
198-
return (
199-
'<a href="%s"><strong>Edit permissions</strong></a>' % (reverse('admin:sa_api_v2_group_change', args=[instance.pk]))
200-
+ self.permissions_list(instance)
217+
return format_html(
218+
'<a href="{}"><strong>Edit permissions</strong></a>{}',
219+
reverse('admin:sa_api_v2_group_change', args=[instance.pk]),
220+
self.permissions_list(instance)
201221
)
202-
edit_url.allow_tags = True
203222

204223

205224
class InlineDataSetPermissionAdmin(admin.TabularInline):
@@ -266,13 +285,11 @@ def clone_dataset(self, request, obj):
266285
def places(self, instance):
267286
path = '/admin/sa_api_v2/place/?dataset={}'
268287
path = path.format(instance.slug)
269-
return '<a href="{0}">{0}</a>'.format(path)
270-
places.allow_tags = True
288+
return format_html('<a href="{0}">{0}</a>', path)
271289

272290
def api_path(self, instance):
273291
path = reverse('dataset-detail', args=[instance.owner, instance.slug])
274-
return '<a href="{0}">{0}</a>'.format(path)
275-
api_path.allow_tags = True
292+
return format_html('<a href="{0}">{0}</a>', path)
276293

277294
def get_queryset(self, request):
278295
qs = super(DataSetAdmin, self).get_queryset(request)
@@ -303,8 +320,7 @@ class PlaceAdmin(SubmittedThingAdmin):
303320

304321
def api_path(self, instance):
305322
path = reverse('place-detail', args=[instance.dataset.owner, instance.dataset.slug, instance.id])
306-
return '<a href="{0}">{0}</a>'.format(path)
307-
api_path.allow_tags = True
323+
return format_html('<a href="{0}">{0}</a>', path)
308324

309325

310326
class SubmissionAdmin(SubmittedThingAdmin):
@@ -327,8 +343,7 @@ def place(self, obj):
327343

328344
def api_path(self, instance):
329345
path = reverse('submission-detail', args=[instance.dataset.owner, instance.dataset.slug, instance.place.id, instance.set_name, instance.id])
330-
return '<a href="{0}">{0}</a>'.format(path)
331-
api_path.allow_tags = True
346+
return format_html('<a href="{0}">{0}</a>', path)
332347

333348

334349
class ActionAdmin(admin.ModelAdmin):

0 commit comments

Comments
 (0)