Fixed #25135 -- Deprecated the contrib.admin allow_tags attribute. (f2f8972d) · Commits · Dom Sekotill / django

django/contrib/admin/helpers.py

+16 −5

Original line number	Diff line number	Diff line
		@@ -14,7 +14,9 @@ from django.db.models.fields.related import ManyToManyRel
		from django.forms.utils import flatatt
		from django.template.defaultfilters import capfirst, linebreaksbr
		from django.utils import six
		from django.utils.deprecation import RemovedInDjango110Warning
		from django.utils.deprecation import (
		RemovedInDjango20Warning, RemovedInDjango110Warning,
		)
		from django.utils.encoding import force_text, smart_text
		from django.utils.functional import cached_property
		from django.utils.html import conditional_escape, format_html
		@@ -197,10 +199,19 @@ class AdminReadonlyField(object):
		boolean = getattr(attr, "boolean", False)
		if boolean:
		result_repr = _boolean_icon(value)
		else:
		if hasattr(value, "__html__"):
		result_repr = value
		else:
		result_repr = smart_text(value)
		if getattr(attr, "allow_tags", False):
		result_repr = mark_safe(result_repr)
		warnings.warn(
		"Deprecated allow_tags attribute used on %s. "
		"Use django.utils.safestring.format_html(), "
		"format_html_join(), or mark_safe() instead." % attr,
		RemovedInDjango20Warning
		)
		result_repr = mark_safe(value)
		else:
		result_repr = linebreaksbr(result_repr)
		else:

django/contrib/admin/options.py

+0 −1

Original line number	Diff line number	Diff line
		@@ -753,7 +753,6 @@ class ModelAdmin(BaseModelAdmin):
		"""
		return helpers.checkbox.render(helpers.ACTION_CHECKBOX_NAME, force_text(obj.pk))
		action_checkbox.short_description = mark_safe('<input type="checkbox" id="action-toggle" />')
		action_checkbox.allow_tags = True

		def get_actions(self, request):
		"""

django/contrib/admin/templatetags/admin_list.py

+8 −4

Original line number	Diff line number	Diff line
		from __future__ import unicode_literals

		import datetime
		import warnings

		from django.contrib.admin.templatetags.admin_static import static
		from django.contrib.admin.templatetags.admin_urls import add_preserved_filters
		@@ -16,6 +17,7 @@ from django.db import models
		from django.template import Library
		from django.template.loader import get_template
		from django.utils import formats
		from django.utils.deprecation import RemovedInDjango20Warning
		from django.utils.encoding import force_text
		from django.utils.html import escapejs, format_html
		from django.utils.safestring import mark_safe
		@@ -207,12 +209,14 @@ def items_for_result(cl, result, form):
		row_classes = ['action-checkbox']
		allow_tags = getattr(attr, 'allow_tags', False)
		boolean = getattr(attr, 'boolean', False)
		if boolean or not value:
		allow_tags = True
		result_repr = display_for_value(value, empty_value_display, boolean)
		# Strip HTML tags in the resulting text, except if the
		# function has an "allow_tags" attribute set to True.
		if allow_tags:
		warnings.warn(
		"Deprecated allow_tags attribute used on field {}. "
		"Use django.utils.safestring.format_html(), "
		"format_html_join(), or mark_safe() instead.".format(field_name),
		RemovedInDjango20Warning
		)
		result_repr = mark_safe(result_repr)
		if isinstance(value, (datetime.date, datetime.time)):
		row_classes.append('nowrap')

docs/internals/deprecation.txt

+3 −0

Original line number	Diff line number	Diff line
		@@ -265,6 +265,9 @@ details on these changes.
		* The warning that :class:`~django.core.signing.Signer` issues when given an
		invalid separator will become an exception.

		* Support for the ``allow_tags`` attribute on ``ModelAdmin`` methods will be
		removed.

		.. _deprecation-removed-in-1.9:

		1.9

docs/ref/contrib/admin/index.txt

+12 −11

Original line number	Diff line number	Diff line
		@@ -583,11 +583,9 @@ subclass::
		``False``.

		* If the string given is a method of the model, ``ModelAdmin`` or a
		callable, Django will HTML-escape the output by default. If you'd
		rather not escape the output of the method, give the method an
		``allow_tags`` attribute whose value is ``True``. However, to avoid an
		XSS vulnerability, you should use :func:`~django.utils.html.format_html`
		to escape user-provided inputs.
		callable, Django will HTML-escape the output by default. To escape
		user input and allow your own unescaped tags, use
		:func:`~django.utils.html.format_html`.

		Here's a full example model::

		@@ -606,11 +604,17 @@ subclass::
		self.first_name,
		self.last_name)

		colored_name.allow_tags = True

		class PersonAdmin(admin.ModelAdmin):
		list_display = ('first_name', 'last_name', 'colored_name')

		.. deprecated:: 1.9

		In older versions, you could add an ``allow_tags`` attribute to the
		method to prevent auto-escaping. This attribute is deprecated as it's
		safer to use :func:`~django.utils.html.format_html`,
		:func:`~django.utils.html.format_html_join`, or
		:func:`~django.utils.safestring.mark_safe` instead.

		* If the value of a field is ``None``, an empty string, or an iterable
		without elements, Django will display ``-`` (a dash). You can override
		this with :attr:`AdminSite.empty_value_display`::
		@@ -688,7 +692,6 @@ subclass::
		self.color_code,
		self.first_name)

		colored_first_name.allow_tags = True
		colored_first_name.admin_order_field = 'first_name'

		class PersonAdmin(admin.ModelAdmin):
		@@ -1095,12 +1098,10 @@ subclass::
		mark_safe('<br/>'),
		'{}',
		((line,) for line in instance.get_full_address()),
		) or "<span class='errors'>I can't determine this address.</span>"
		) or mark_safe("<span class='errors'>I can't determine this address.</span>")

		# short_description functions like a model field's verbose_name
		address_report.short_description = "Address"
		# in this example, we have used HTML tags in the output
		address_report.allow_tags = True

		.. attribute:: ModelAdmin.save_as