fix: #7859: allow special characters in page title (#7868)

* fix #7859: allow special characters in page title * Update test_templatetags.py * Fix ruff issues in test_templatetags.py * One more time: fix ruff issues in test_templatetags.py --------- Co-authored-by: Fabian Braun <fsbraun@gmx.de>
django-cms · May 22, 2024 · 63e50fe · 63e50fe
1 parent 1fbe758
commit 63e50fe
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 9 deletions.
diff --git a/cms/templatetags/cms_tags.py b/cms/templatetags/cms_tags.py
@@ -20,7 +20,7 @@
 from django.template.loader import render_to_string
 from django.urls import reverse
 from django.utils.encoding import smart_str
-from django.utils.html import escape
+from django.utils.html import escape, strip_tags
 from django.utils.http import urlencode
 from django.utils.translation import (
     get_language,
@@ -407,7 +407,9 @@ def get_value(self, context, name, page_lookup):
         if page and name in self.valid_attributes:
             func = getattr(page, "get_%s" % name)
             ret_val = func(language=lang, fallback=True)
-            if not isinstance(ret_val, datetime):
+            if name == 'page_title':
+                 ret_val = strip_tags(ret_val)
+            elif not isinstance(ret_val, datetime):
                 ret_val = escape(ret_val)
             return ret_val
         return ''

diff --git a/cms/tests/test_templatetags.py b/cms/tests/test_templatetags.py
@@ -11,7 +11,7 @@
 from django.test import RequestFactory
 from django.test.utils import override_settings
 from django.utils.encoding import force_str
-from django.utils.html import escape
+from django.utils.html import strip_tags
 from django.utils.timezone import now
 from django.utils.translation import override as force_language
 from djangocms_text_ckeditor.cms_plugins import TextPlugin
@@ -115,20 +115,32 @@ def test_unicode_placeholder_name_fails_fast(self):
 
     def test_page_attribute_tag_escapes_content(self):
         script = '<script>alert("XSS");</script>'
+        ampersand = 'Q&A page'
 
         class FakePage:
+            def __init__(self, title):
+                self.title = title
+                super().__init__()
+
             def get_page_title(self, *args, **kwargs):
-                return script
+                return self.title
 
         class FakeRequest:
-            current_page = FakePage()
             GET = {'language': 'en'}
 
-        request = FakeRequest()
+            def __init__(self, page):
+                self.current_page = page
+
+        request_script = FakeRequest(FakePage(script))
+        request_ampersand = FakeRequest(FakePage(ampersand))
         template = '{% load cms_tags %}{% page_attribute page_title %}'
-        output = self.render_template_obj(template, {}, request)
-        self.assertNotEqual(script, output)
-        self.assertEqual(escape(script), output)
+        output_script = self.render_template_obj(template, {}, request_script)
+        output_ampersand = self.render_template_obj(template, {}, request_ampersand)
+
+        self.assertNotEqual(script, output_script)
+        self.assertEqual(ampersand, output_ampersand)
+        self.assertEqual(strip_tags(script), output_script)
+        self.assertEqual(strip_tags(ampersand), output_ampersand)
 
     def test_json_encoder(self):
         self.assertEqual(json_filter(True), 'true')