#36733: Fix unescape attributes in Stylesheet.__str__
-------------------------------------+-------------------------------------
Reporter: Baptiste Mispelon | Type: Bug
Status: new | Component:
| contrib.syndication
Version: 5.2 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
,,This was originally reported by Mustafa Barakat as a security issue but
was deemed low-risk enough to be tracked publicly.,,
The `django.utils.feedgenerator.Stylesheet` class (introduced in #12978)
has a `__str__` method which is used when outputting a `<?xml-stylesheet
... ?>`. The method uses f-strings with three different attributes: `url`,
`mimetype`, and `media`.
However these attributes are not escaped, which could potentially lead to
invalid markup if any of those attributes were to contain a quote for
example.
Escaping using Django's `escape` (or even `format_html`) should work even
though those functions are meant for HTML and not XML.
--
Ticket URL: <https://code.djangoproject.com/ticket/36733>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019a84445dfd-e9856615-bac1-4a4a-9353-3949c0840e00-000000%40eu-central-1.amazonses.com.
