Opened 5 hours ago
Last modified 5 hours ago
#36733 new Bug
Fix unescape attributes in Stylesheet.__str__ — at Initial Version
| Reported by: | Baptiste Mispelon | Owned by: | |
|---|---|---|---|
| Component: | contrib.syndication | Version: | 5.2 |
| Severity: | Release blocker | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
This was originally reported by Mustafa Barakat as a security issue but was deemed low-risk enough to be tracked publicly.
The django.utils.feedgenerator.Stylesheet class (introduced in #12978) has a __str__ method which is used when outputting a <?xml-stylesheet ... ?>. The method uses f-strings with three different attributes: url, mimetype, and media.
However these attributes are not escaped, which could potentially lead to invalid markup if any of those attributes were to contain a quote for example.
Escaping using Django's escape (or even format_html) should work even though those functions are meant for HTML and not XML.
Note:
See TracTickets
for help on using tickets.