escaped some text (#154)

soynatan · Jul 22, 2020 · 9ee3d21 · 9ee3d21
1 parent 6221d6a
commit 9ee3d21
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 11 deletions.
diff --git a/easyaudit/admin.py b/easyaudit/admin.py
@@ -8,6 +8,7 @@
     from django.core.urlresolvers import reverse
 
 from django.utils.safestring import mark_safe
+from django.utils.html import escape
 from . import settings
 from .models import CRUDEvent, LoginEvent, RequestEvent
 from .admin_helpers import prettify_json, EasyAuditModelAdmin
@@ -46,15 +47,16 @@ def object_repr_link(self, obj):
         if obj.event_type == CRUDEvent.DELETE:
             html = obj.object_repr
         else:
+            escaped_obj_repr = escape(obj.object_repr)
             try:
                 content_type = self.get_content_type(obj)
                 url = reverse("admin:%s_%s_change" % (
                     content_type.app_label,
                     content_type.model,
                 ), args=(obj.object_id,))
-                html = '<a href="%s">%s</a>' % (url, obj.object_repr)
-            except:
-                html = obj.object_repr
+                html = '<a href="%s">%s</a>' % (url, escaped_obj_repr)
+            except Exception:
+                html = escaped_obj_repr
         return mark_safe(html)
 
     object_repr_link.short_description = 'object repr'

diff --git a/easyaudit/admin_helpers.py b/easyaudit/admin_helpers.py
@@ -13,6 +13,7 @@
 from django.contrib import messages
 from django.conf.urls import url
 from django.utils.safestring import mark_safe
+from django.utils.html import escape
 from . import settings
 
 import json
@@ -21,12 +22,14 @@
 def prettify_json(json_string):
     """Given a JSON string, it returns it as a
     safe formatted HTML"""
+    escaped = escape(json_string)
     try:
-        data = json.loads(json_string)
-        html = '<pre>' + json.dumps(data, sort_keys=True, indent=4) + '</pre>'
-    except:
-        html = json_string
-    return mark_safe(html)
+        data = json.loads(escaped)
+        # html = '<pre>' + json.dumps(data, sort_keys=True, indent=4) + '</pre>'
+        html = json.dumps(data, sort_keys=True, indent=4)
+    except Exception:
+        html = escaped
+    return html
 
 
 class EasyAuditModelAdmin(admin.ModelAdmin):
@@ -48,15 +51,16 @@ def user_link(self, obj):
         #return mark_safe(get_user_link(user))
         if user is None:
             return '-'
+        escaped = escape(str(user))
         try:
             user_model = get_user_model()
             url = reverse("admin:%s_%s_change" % (
                 user_model._meta.app_label,
                 user_model._meta.model_name,
             ), args=(user.id,))
-            html = '<a href="%s">%s</a>' % (url, str(user))
-        except:
-            html = str(user)
+            html = '<a href="%s">%s</a>' % (url, escaped)
+        except Exception:
+            html = escaped
         return mark_safe(html)
     user_link.short_description = 'user'