Re: [Django] #36733: Fix unescaped attributes in Stylesheet.__str__ (was: Fix unescape attributes in Stylesheet.__str__)
5 views
Skip to first unread message
Django
Nov 14, 2025, 4:46:29 PM11/14/25
to django-...@googlegroups.com
#36733: Fix unescaped attributes in Stylesheet.__str__
-------------------------------------+------------------------------------
Reporter: Baptiste Mispelon | Owner: (none)
Type: Bug | Status: new
Component: contrib.syndication | Version: 5.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------
Changes (by Jacob Walls):
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted
* summary: Fix unescape attributes in Stylesheet.__str__ => Fix unescaped
attributes in Stylesheet.__str__
Old description:
> ,,This was originally reported by Mustafa Barakat as a security issue but
> was deemed low-risk enough to be tracked publicly.,,
>
> The `django.utils.feedgenerator.Stylesheet` class (introduced in #12978)
> has a `__str__` method which is used when outputting a `<?xml-stylesheet
> ... ?>`. The method uses f-strings with three different attributes:
> `url`, `mimetype`, and `media`.
>
> However these attributes are not escaped, which could potentially lead to
> invalid markup if any of those attributes were to contain a quote for
> example.
>
> Escaping using Django's `escape` (or even `format_html`) should work even
> though those functions are meant for HTML and not XML.
New description:
,,This was originally reported by Mustafa Barakat as a potential security
issue but no vulnerability was identified, hence tracking this publicly,,
The `django.utils.feedgenerator.Stylesheet` class (introduced in #12978)
has a `__str__` method which is used when outputting a `<?xml-stylesheet
... ?>`. The method uses f-strings with three different attributes: `url`,
`mimetype`, and `media`.
However these attributes are not escaped, which could potentially lead to
invalid markup if any of those attributes were to contain a quote for
example.
Escaping using Django's `escape` (or even `format_html`) should work even
though those functions are meant for HTML and not XML.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/36733#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+------------------------------------
Reporter: Baptiste Mispelon | Owner: (none)
Type: Bug | Status: new
Component: contrib.syndication | Version: 5.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------
Changes (by Jacob Walls):
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted
* summary: Fix unescape attributes in Stylesheet.__str__ => Fix unescaped
attributes in Stylesheet.__str__
Old description:
> ,,This was originally reported by Mustafa Barakat as a security issue but
> was deemed low-risk enough to be tracked publicly.,,
>
> The `django.utils.feedgenerator.Stylesheet` class (introduced in #12978)
> has a `__str__` method which is used when outputting a `<?xml-stylesheet
> ... ?>`. The method uses f-strings with three different attributes:
> `url`, `mimetype`, and `media`.
>
> However these attributes are not escaped, which could potentially lead to
> invalid markup if any of those attributes were to contain a quote for
> example.
>
> Escaping using Django's `escape` (or even `format_html`) should work even
> though those functions are meant for HTML and not XML.
New description:
,,This was originally reported by Mustafa Barakat as a potential security
issue but no vulnerability was identified, hence tracking this publicly,,
The `django.utils.feedgenerator.Stylesheet` class (introduced in #12978)
has a `__str__` method which is used when outputting a `<?xml-stylesheet
... ?>`. The method uses f-strings with three different attributes: `url`,
`mimetype`, and `media`.
However these attributes are not escaped, which could potentially lead to
invalid markup if any of those attributes were to contain a quote for
example.
Escaping using Django's `escape` (or even `format_html`) should work even
though those functions are meant for HTML and not XML.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/36733#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages