fix: XSS vulnerability for page title (#8075)

* Fix: XSS vulnerability for page title

* fix linting

---------

Co-authored-by: Github Release Action <info@django-cms.org>

Author: fsbraun

cms/api.py

@@ -136,7 +136,7 @@ def create_page(title, template, language, menu_title=None, slug=None,
                 xframe_options=constants.X_FRAME_OPTIONS_INHERIT):
     """
     Creates a :class:`cms.models.Page` instance and returns it. Also
-    creates a :class:`cms.models.Title` instance for the specified
+    creates a :class:`cms.models.PageContent` instance for the specified
     language.
 
     .. warning::

cms/templatetags/cms_tags.py

@@ -441,9 +441,7 @@ def get_value(self, context, name, page_lookup):
         if page and name in self.valid_attributes:
             func = getattr(page, "get_%s" % name)
             ret_val = func(language=lang, fallback=True)
-            if name == 'page_title':
-                 ret_val = strip_tags(ret_val)
-            elif not isinstance(ret_val, datetime):
+            if not isinstance(ret_val, datetime):
                 ret_val = escape(ret_val)
             return ret_val
         return ''

cms/tests/test_templatetags.py

@@ -11,11 +11,10 @@
 from django.test import RequestFactory
 from django.test.utils import override_settings
 from django.utils.encoding import force_str
-from django.utils.html import strip_tags
+from django.utils.html import escape
 from django.utils.timezone import now
 from django.utils.translation import override as force_language
 from djangocms_text_ckeditor.cms_plugins import TextPlugin
-from djangocms_text_ckeditor.models import Text
 from sekizai.context import SekizaiContext
 
 import cms
@@ -139,6 +138,7 @@ def test_unicode_placeholder_name_fails_fast(self):
     def test_page_attribute_tag_escapes_content(self):
         script = '<script>alert("XSS");</script>'
         ampersand = 'Q&A page'
+        partial = '"><img src=x onerror=alert(1) "'
 
         class FakePage:
             def __init__(self, title):
@@ -159,11 +159,14 @@ def __init__(self, page):
         template = '{% load cms_tags %}{% page_attribute page_title %}'
         output_script = self.render_template_obj(template, {}, request_script)
         output_ampersand = self.render_template_obj(template, {}, request_ampersand)
+        output_partial = self.render_template_obj(template, {}, FakeRequest(FakePage(partial)))
 
         self.assertNotEqual(script, output_script)
-        self.assertEqual(ampersand, output_ampersand)
-        self.assertEqual(strip_tags(script), output_script)
-        self.assertEqual(strip_tags(ampersand), output_ampersand)
+        self.assertNotEqual(ampersand, output_ampersand)
+        self.assertNotEqual(partial, output_partial)
+        self.assertEqual(escape(script), output_script)
+        self.assertEqual(escape(ampersand), output_ampersand)
+        self.assertEqual(escape(partial), output_partial)
 
     def test_json_encoder(self):
         self.assertEqual(json_filter(True), 'true')