Use the format_html utility. This will escape any html from parameters and mark the string as safe to use in templates. The allow_tags method attribute has been deprecated in Django 1.9.
from django.utils.html import format_html
from django.contrib import admin
@admin.display(description="Firm URL")
class LawyerAdmin(admin.ModelAdmin):
list_display = ['show_firm_url', ...]
...
def show_firm_url(self, obj):
return format_html("<a href="https://stackoverflow.com/questions/1949248/{url}">{url}</a>", url=obj.firm_url)
Now your admin users are safe even in the case of:
firm_url == 'http://a.aa/<script>eval(...);</script>'
See the documentation for more info.