escaped some text

jdkizer9 · jdkizer9 · commit 6c92a6524f2d · 2019-11-18T18:16:01.000-07:00
diff --git a/easyaudit/admin.py b/easyaudit/admin.py
@@ -6,6 +6,7 @@
     from django.core.urlresolvers import reverse
 
 from django.utils.safestring import mark_safe
+from django.utils.html import escape
 from . import settings
 from .models import CRUDEvent, LoginEvent, RequestEvent
 from .admin_helpers import prettify_json, EasyAuditModelAdmin
@@ -28,13 +29,14 @@ def object_repr_link(self, obj):
             html = obj.object_repr
         else:
             try:
+                escaped_obj_repr = escape(obj.object_repr)
                 url = reverse("admin:%s_%s_change" % (
                     obj.content_type.app_label,
                     obj.content_type.model,
                 ), args=(obj.object_id,))
-                html = '<a href="%s">%s</a>' % (url, obj.object_repr)
+                html = '<a href="%s">%s</a>' % (url, escaped_obj_repr)
             except:
-                html = obj.object_repr
+                html = escape(obj.object_repr)
         return mark_safe(html)
 
     object_repr_link.short_description = 'object repr'
diff --git a/easyaudit/admin_helpers.py b/easyaudit/admin_helpers.py
@@ -13,20 +13,22 @@
 from django.contrib import messages
 from django.conf.urls import url
 from django.utils.safestring import mark_safe
+from django.utils.html import escape
 from . import settings
 
 import json
 
-
 def prettify_json(json_string):
     """Given a JSON string, it returns it as a
     safe formatted HTML"""
+    escaped = escape(json_string)
     try:
-        data = json.loads(json_string)
-        html = '<pre>' + json.dumps(data, sort_keys=True, indent=4) + '</pre>'
+        data = json.loads(escaped)
+        # html = '<pre>' + json.dumps(data, sort_keys=True, indent=4) + '</pre>'
+        html = json.dumps(data, sort_keys=True, indent=4)
     except:
-        html = json_string
-    return mark_safe(html)
+        html = escaped
+    return html
 
 
 class EasyAuditModelAdmin(admin.ModelAdmin):
@@ -38,13 +40,14 @@ def user_link(self, obj):
             return '-'
         try:
             user_model = get_user_model()
+            escaped = escape(str(user))
             url = reverse("admin:%s_%s_change" % (
                 user_model._meta.app_label,
                 user_model._meta.model_name,
             ), args=(user.id,))
-            html = '<a href="%s">%s</a>' % (url, str(user))
+            html = '<a href="%s">%s</a>' % (url, escaped)
         except:
-            html = str(user)
+            html = escape(str(user))
         return mark_safe(html)
     user_link.short_description = 'user'
 
