|
|
@@ -12,6 +12,7 @@ from django.forms import CharField, ModelMultipleChoiceField, MultipleHiddenInpu
|
|
|
from django.http import HttpResponse
|
|
|
from django.shortcuts import get_object_or_404, redirect, render
|
|
|
from django.template import TemplateSyntaxError
|
|
|
+from django.utils.html import escape
|
|
|
from django.utils.http import is_safe_url
|
|
|
from django.views.generic import View
|
|
|
|
|
|
@@ -194,9 +195,9 @@ class ObjectEditView(View):
|
|
|
msg = u'Created ' if obj_created else u'Modified '
|
|
|
msg += self.model._meta.verbose_name
|
|
|
if hasattr(obj, 'get_absolute_url'):
|
|
|
- msg = u'{} <a href="{}">{}</a>'.format(msg, obj.get_absolute_url(), obj)
|
|
|
+ msg = u'{} <a href="{}">{}</a>'.format(msg, obj.get_absolute_url(), escape(obj))
|
|
|
else:
|
|
|
- msg = u'{} {}'.format(msg, obj)
|
|
|
+ msg = u'{} {}'.format(msg, escape(obj))
|
|
|
messages.success(request, msg)
|
|
|
if obj_created:
|
|
|
UserAction.objects.log_create(request.user, obj, msg)
|
|
|
@@ -266,7 +267,7 @@ class ObjectDeleteView(View):
|
|
|
handle_protectederror(obj, request, e)
|
|
|
return redirect(obj.get_absolute_url())
|
|
|
|
|
|
- msg = u'Deleted {} {}'.format(self.model._meta.verbose_name, obj)
|
|
|
+ msg = u'Deleted {} {}'.format(self.model._meta.verbose_name, escape(obj))
|
|
|
messages.success(request, msg)
|
|
|
UserAction.objects.log_delete(request.user, obj, msg)
|
|
|
|
Jeremy Stretch