Re: [Django] #36733: Fix unescaped attributes in Stylesheet.__str__ (was: Fix unescape attributes in Stylesheet.__str__)

[Django]

#36733: Fix unescaped attributes in Stylesheet.__str__
-------------------------------------+------------------------------------
     Reporter:  Baptiste Mispelon    |                    Owner:  (none)
         Type:  Bug                  |                   Status:  new
    Component:  contrib.syndication  |                  Version:  5.2
     Severity:  Release blocker      |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+------------------------------------
Changes (by Jacob Walls):

 * severity:  Normal => Release blocker
 * stage:  Unreviewed => Accepted
 * summary:  Fix unescape attributes in Stylesheet.__str__ => Fix unescaped
     attributes in Stylesheet.__str__


Old description:

> ,,This was originally reported by Mustafa Barakat as a security issue but
> was deemed low-risk enough to be tracked publicly.,,
>
> The `django.utils.feedgenerator.Stylesheet` class (introduced in #12978)
> has a `__str__` method which is used when outputting a `<?xml-stylesheet
> ... ?>`. The method uses f-strings with three different attributes:
> `url`, `mimetype`, and `media`.
>
> However these attributes are not escaped, which could potentially lead to
> invalid markup if any of those attributes were to contain a quote for
> example.
>
> Escaping using Django's `escape` (or even `format_html`) should work even
> though those functions are meant for HTML and not XML.

New description:

 ,,This was originally reported by Mustafa Barakat as a potential security
 issue but no vulnerability was identified, hence tracking this publicly,,

 The `django.utils.feedgenerator.Stylesheet` class (introduced in #12978)
 has a `__str__` method which is used when outputting a `<?xml-stylesheet
 ... ?>`. The method uses f-strings with three different attributes: `url`,
 `mimetype`, and `media`.

 However these attributes are not escaped, which could potentially lead to
 invalid markup if any of those attributes were to contain a quote for
 example.

 Escaping using Django's `escape` (or even `format_html`) should work even
 though those functions are meant for HTML and not XML.

--
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36733#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019a84556c18-f82357d0-f507-4eea-94f1-354257989f0a-000000%40eu-central-1.amazonses.com.