id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36733	Fix unescaped attributes in Stylesheet.__str__	Baptiste Mispelon		",,This was originally reported by Mustafa Barakat as a potential security issue but no vulnerability was identified, hence tracking this publicly,,

The `django.utils.feedgenerator.Stylesheet` class (introduced in #12978) has a `__str__` method which is used when outputting a `<?xml-stylesheet ... ?>`. The method uses f-strings with three different attributes: `url`, `mimetype`, and `media`.

However these attributes are not escaped, which could potentially lead to invalid markup if any of those attributes were to contain a quote for example.

Escaping using Django's `escape` (or even `format_html`) should work even though those functions are meant for HTML and not XML."	Bug	new	contrib.syndication	5.2	Release blocker				Accepted	0	0	0	0	0	0