id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36733	Fix unescape attributes in Stylesheet.__str__	Baptiste Mispelon		",,This was originally reported by Mustafa Barakat as a security issue but was deemed low-risk enough to be tracked publicly.,,

The `django.utils.feedgenerator.Stylesheet` class (introduced in #12978) has a `__str__` method which is used when outputting a `<?xml-stylesheet ... ?>`. The method uses f-strings with three different attributes: `url`, `mimetype`, and `media`.

However these attributes are not escaped, which could potentially lead to invalid markup if any of those attributes were to contain a quote for example.

Escaping using Django's `escape` (or even `format_html`) should work even though those functions are meant for HTML and not XML."	Bug	new	contrib.syndication	5.2	Normal				Unreviewed	0	0	0	0	0	0