Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding FrameWork Django How do I use allow_tags in django 2.0 admin?

Thread Rating:
  • 348 Vote(s) - 3.48 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
How do I use allow_tags in django 2.0 admin?

Offline beall132783


Member
*
Member
Posts: 1
Threads: 1
Joined: Aug 2020
Reputation: 0
Level: 1 [Level]
Total Points: 0
Rank 0 / 1
99% to upload Level
Rank
Activity 0 / 1
99% to upload your Rank
Activity
Experience 1
99% to upload Experience
Experience

Points: 50
#1
08-02-2023, 04:13 PM
> Support for the allow_tags attribute on ModelAdmin methods is removed.
Reply

Offline heathheathberry27


Member
*
Member
Posts: 0
Threads: 0
Joined: Jan 2022
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
08-02-2023, 04:43 PM
If you have your code in `admin.py` you can overwrite adding only `mark_safe` function, like the example below:

from django.utils.safestring import mark_safe

def get_image_tag(self):
if self.picture:
return mark_safe('<img src="%s" width="60" height="75" />' % self.picture.url)
else:
return ' '
get_image_tag.short_description = 'Photo'
#get_image_tag.allow_tags = True #redundant
get_image_tag.admin_order_field = 'name'

This code was tested in Django 2.0.2 and Python 3.6.4.
Reply

Offline hubby896718


Member
*
Member
Posts: 0
Threads: 0
Joined: Apr 2022
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#3
08-02-2023, 04:45 PM
Additionaly to the other answers you can use the `mark_safe` function as decorator:

from django.utils.safestring import mark_safe

@mark_safe
def icon_pw(self, obj):
return f'<img src="{obj.icon.url}" />' if obj.icon else ''
icon_pw.short_description = 'Icon'
icon_pw.allow_tags = True

This is the easy way to upgrade your old Django admin code to 2.0.
Reply

Offline jobfwmvtumv


Member
*
Member
Posts: 0
Threads: 0
Joined: Oct 2019
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#4
08-02-2023, 04:49 PM
Just found the answer, use [`mark_safe`][1] function.

In old code, you may use:

def image_(self, obj):
return '<image src="%s" />' % obj.image
image_.allow_tags = True

In new code, you should use:

from django.utils.safestring import mark_safe
def image(self, obj):
return mark_safe('<image src="%s" />' % obj.image)


[1]:

[To see links please register here]

Reply

Offline emoryahmz


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: May 2023
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#5
08-02-2023, 04:49 PM
TL;DR: You should probably use [`format_html()`](

[To see links please register here]

) rather than `mark_safe`, as recommended by other answers.

The way other answers recommend to use `mark_safe` will just mark the *entire* resulting string as safe HTML. IOW, you're telling Django "This is valid and safe HTML, I have ensured any needed escaping has happened". Except that the other answers do not actually do the required escaping.

Consider the following (imperfect) approach from another answer:

```python
from django.utils.safestring import mark_safe
def image(self, obj):
return mark_safe('<image src="%s" />' % obj.image)
```

If `obj.image` now contains a `"`, or worse, is user input and contains an XSS attack, this will break the resulting HTML.


To prevent this, all data that is interpolated *into* such HTML snippets should be individually escaped beforehand. Fortunately there is the [`html_format()` function](

[To see links please register here]

) which does both interpolation and the needed escaping. With that, the above example would become:

```python
from django.utils.html import format_html
def image(self, obj):
return format_html('<image src="{}" />', obj.image)
```

Note that his uses `{}` format strings rather than `%s`, since `format_html()` is based on `str.format()`, which uses that style.
Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through