Opened 3 weeks ago

Closed 2 weeks ago

Last modified 2 weeks ago

#36733 closed Bug (fixed)

Fix unescaped attributes in Stylesheet.__str__

Reported by: Baptiste Mispelon Owned by: Varun Kasyap Pentamaraju
Component: contrib.syndication Version: 5.2
Severity: Release blocker Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Jacob Walls)

This was originally reported by Mustafa Barakat as a potential security issue but no vulnerability was identified, hence tracking this publicly

The django.utils.feedgenerator.Stylesheet class (introduced in #12978) has a __str__ method which is used when outputting a <?xml-stylesheet ... ?>. The method uses f-strings with three different attributes: url, mimetype, and media.

However these attributes are not escaped, which could potentially lead to invalid markup if any of those attributes were to contain a quote for example.

Escaping using Django's escape (or even format_html) should work even though those functions are meant for HTML and not XML.

Change History (9)

comment:1 by Jacob Walls, 3 weeks ago

Description: modified (diff)
Severity: NormalRelease blocker
Summary: Fix unescape attributes in Stylesheet.__str__Fix unescaped attributes in Stylesheet.__str__
Triage Stage: UnreviewedAccepted

comment:2 by Varun Kasyap Pentamaraju, 3 weeks ago

Owner: set to Varun Kasyap Pentamaraju
Status: newassigned

Willing to contribute

comment:3 by Varun Kasyap Pentamaraju, 3 weeks ago

Has patch: set

https://github.com/django/django/pull/20098

comment:4 by Jacob Walls, 3 weeks ago

Patch needs improvement: set

comment:5 by Varun Kasyap Pentamaraju, 3 weeks ago

Patch needs improvement: unset

comment:6 by Jacob Walls, 3 weeks ago

Triage Stage: AcceptedReady for checkin

comment:7 by Jacob Walls <jacobtylerwalls@…>, 2 weeks ago

Resolution: fixed
Status: assignedclosed

In e05f2a7:

Fixed #36733 -- Escaped attributes in Stylesheet.str().

Thanks Mustafa Barakat for the report, Baptiste Mispelon for
the triage, and Jake Howard for the review.

comment:8 by Jacob Walls <jacobtylerwalls@…>, 2 weeks ago

In ef4715e:

[6.0.x] Fixed #36733 -- Escaped attributes in Stylesheet.str().

Thanks Mustafa Barakat for the report, Baptiste Mispelon for
the triage, and Jake Howard for the review.

Backport of e05f2a75695b5f5faa7682d4053db4776d4d6f93 from main.

comment:9 by Jacob Walls <jacobtylerwalls@…>, 2 weeks ago

In 001c2f54:

[5.2.x] Fixed #36733 -- Escaped attributes in Stylesheet.str().

Thanks Mustafa Barakat for the report, Baptiste Mispelon for
the triage, and Jake Howard for the review.

Backport of e05f2a75695b5f5faa7682d4053db4776d4d6f93 from main.

Note: See TracTickets for help on using tickets.
Back to Top