[Django] #37183: Prevent writing control characters into XML attributes in syndication feeds
3 views
Skip to first unread message
Django
Jun 23, 2026, 12:02:56 PM (yesterday) Jun 23
to django-...@googlegroups.com
#37183: Prevent writing control characters into XML attributes in syndication feeds
-------------------------------------+-------------------------------------
Reporter: Jacob | Owner: Jacob Walls
Walls |
Type: | Status: assigned
Cleanup/optimization |
Component: | Version: dev
contrib.syndication | Keywords: not-security,
Severity: Normal | control
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The Security Team received a report about constructing a syndication feed
item from invalid user input (a control character) breaking an entire feed
by causing the XML document to be unparseable.
Control characters other than HT, LF, and CR are not valid in XML. The
code path through the XML serializers was adjusted in #20197 to raise a
`ValueError` for these characters, but we didn't cover the syndication
app, which also uses `SimplerXMLGenerator`.
We closed the report since it involves unsanitized user input, but we
could raise a nice `ValueError` (or subclass) to prevent silently writing
invalid XML documents.
Thanks sy2n0 for the report.
--
Ticket URL: <https://code.djangoproject.com/ticket/37183>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Jacob | Owner: Jacob Walls
Walls |
Type: | Status: assigned
Cleanup/optimization |
Component: | Version: dev
contrib.syndication | Keywords: not-security,
Severity: Normal | control
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The Security Team received a report about constructing a syndication feed
item from invalid user input (a control character) breaking an entire feed
by causing the XML document to be unparseable.
Control characters other than HT, LF, and CR are not valid in XML. The
code path through the XML serializers was adjusted in #20197 to raise a
`ValueError` for these characters, but we didn't cover the syndication
app, which also uses `SimplerXMLGenerator`.
We closed the report since it involves unsanitized user input, but we
could raise a nice `ValueError` (or subclass) to prevent silently writing
invalid XML documents.
Thanks sy2n0 for the report.
--
Ticket URL: <https://code.djangoproject.com/ticket/37183>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Jun 23, 2026, 12:16:02 PM (24 hours ago) Jun 23
to django-...@googlegroups.com
#37183: Prevent writing control characters into XML attributes in syndication feeds
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
-------------------------------------+-------------------------------------
Type: | Walls
Cleanup/optimization | Status: assigned
Component: contrib.syndication | Version: dev
Severity: Normal | Resolution:
Keywords: not-security, | Triage Stage:
control | Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/21531 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/37183#comment:1>
Django
Jun 23, 2026, 3:03:57 PM (21 hours ago) Jun 23
to django-...@googlegroups.com
#37183: Prevent writing control characters into XML attributes in syndication feeds
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: contrib.syndication | Version: dev
Severity: Normal | Resolution:
Keywords: not-security, | Triage Stage: Accepted
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: contrib.syndication | Version: dev
Severity: Normal | Resolution:
control |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mike Edmunds):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/37183#comment:2>
Reply all
Reply to author
Forward
0 new messages