Opened 3 hours ago
Last modified 2 hours ago
#36733 new Bug
Fix unescaped attributes in Stylesheet.__str__
| Reported by: | Baptiste Mispelon | Owned by: | |
|---|---|---|---|
| Component: | contrib.syndication | Version: | 5.2 |
| Severity: | Release blocker | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
This was originally reported by Mustafa Barakat as a potential security issue but no vulnerability was identified, hence tracking this publicly
The django.utils.feedgenerator.Stylesheet class (introduced in #12978) has a __str__ method which is used when outputting a <?xml-stylesheet ... ?>. The method uses f-strings with three different attributes: url, mimetype, and media.
However these attributes are not escaped, which could potentially lead to invalid markup if any of those attributes were to contain a quote for example.
Escaping using Django's escape (or even format_html) should work even though those functions are meant for HTML and not XML.
Change History (1)
comment:1 by , 2 hours ago
| Description: | modified (diff) |
|---|---|
| Severity: | Normal → Release blocker |
| Summary: | Fix unescape attributes in Stylesheet.__str__ → Fix unescaped attributes in Stylesheet.__str__ |
| Triage Stage: | Unreviewed → Accepted |
Note:
See TracTickets
for help on using tickets.