Prevent django admin from escaping html

Andy picture Andy · Jul 21, 2010 · Viewed 17.4k times · Source

I'm trying to display image thumbnails in django admin's list_display and I am doing it like this:

from django.utils.safestring import mark_safe

class PhotoAdmin(admin.ModelAdmin):
    fields = ('title', 'image',)
    list_display = ('title', '_get_thumbnail',)

    def _get_thumbnail(self, obj):
        return mark_safe(u'<img src="%s" />' % obj.admin_thumbnail.url)

Admin keeps displaying the thumbnail as escaped html, although I marked the string as safe. What am I doing wrong?

Answer

Alasdair picture Alasdair · Jul 21, 2010

As of Django 1.9, you can use format_html(), format_html_join(), or allow_tags in your method. See the list_display docs for more info.

The code in the question using mark_safe will work. However a better option for methods like these might be format_html, which will escape arguments.

def _get_thumbnail(self, obj):
    return format_html(u'<img src="{}" />', obj.admin_thumbnail.url)

In earlier versions of Django, using mark_safe() would not work, and Django would escape the output. The solution was to give the method an allow_tags attribute with the value set to True.

class PhotoAdmin(admin.ModelAdmin):
    fields = ('title', 'image',)
    list_display = ('title', '_get_thumbnail',)

    def _get_thumbnail(self, obj):
         return u'<img src="%s" />' % obj.admin_thumbnail.url
    _get_thumbnail.allow_tags = True