[Django] #36733: Fix unescape attributes in Stylesheet.__str__
3 views
Skip to first unread message
Django
Nov 14, 2025, 4:27:51 PM11/14/25
to django-...@googlegroups.com
#36733: Fix unescape attributes in Stylesheet.__str__
-------------------------------------+-------------------------------------
Reporter: Baptiste Mispelon | Type: Bug
Status: new | Component:
| contrib.syndication
Version: 5.2 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
,,This was originally reported by Mustafa Barakat as a security issue but
was deemed low-risk enough to be tracked publicly.,,
The `django.utils.feedgenerator.Stylesheet` class (introduced in #12978)
has a `__str__` method which is used when outputting a `<?xml-stylesheet
... ?>`. The method uses f-strings with three different attributes: `url`,
`mimetype`, and `media`.
However these attributes are not escaped, which could potentially lead to
invalid markup if any of those attributes were to contain a quote for
example.
Escaping using Django's `escape` (or even `format_html`) should work even
though those functions are meant for HTML and not XML.
--
Ticket URL: <https://code.djangoproject.com/ticket/36733>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Baptiste Mispelon | Type: Bug
Status: new | Component:
| contrib.syndication
Version: 5.2 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
,,This was originally reported by Mustafa Barakat as a security issue but
was deemed low-risk enough to be tracked publicly.,,
The `django.utils.feedgenerator.Stylesheet` class (introduced in #12978)
has a `__str__` method which is used when outputting a `<?xml-stylesheet
... ?>`. The method uses f-strings with three different attributes: `url`,
`mimetype`, and `media`.
However these attributes are not escaped, which could potentially lead to
invalid markup if any of those attributes were to contain a quote for
example.
Escaping using Django's `escape` (or even `format_html`) should work even
though those functions are meant for HTML and not XML.
--
Ticket URL: <https://code.djangoproject.com/ticket/36733>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages