add patch

cms/admin/placeholderadmin.py

@@ -18,6 +18,7 @@
 from django.template.response import TemplateResponse
 from django.utils.decorators import method_decorator
 from django.utils.encoding import force_text
+from django.utils.html import conditional_escape
 from django.utils import translation
 from django.utils.translation import ugettext as _
 from django.views.decorators.clickjacking import xframe_options_sameorigin
@@ -304,7 +305,7 @@ def add_plugin(self, request):
             # errors is s dict mapping fields to a list of errors
             # for that field.
             error = list(form.errors.values())[0][0]
-            return HttpResponseBadRequest(force_text(error))
+            return HttpResponseBadRequest(conditional_escape(force_text(error)))
 
         plugin_data = form.cleaned_data
         placeholder = plugin_data['placeholder_id']

cms/tests/test_plugins.py

@@ -1536,3 +1536,26 @@ def test_related_name(self):
                          'mti_pluginapp_lessmixedplugin')
         # Non plugins are skipped
         self.assertFalse(hasattr(NonPluginModel, 'cmsplugin_ptr'))
+
+
+class UserInputValidationPluginTest(PluginsTestBaseCase):
+
+    def test_error_response_escapes(self):
+        superuser = self.get_superuser()
+        page = api.create_page(
+            title='error page',
+            template='nav_playground.html',
+            language='en'
+        )
+        url = URL_CMS_PLUGIN_ADD + '?' + urlencode({
+            'plugin_type': 'TextPlugin"><script>alert("hello world")</script>',
+            'placeholder_id': page.placeholders.get(slot='body').id,
+            'cms_path': page.get_path(),
+            'plugin_language': settings.LANGUAGES[0][0],
+        })
+
+        with self.login_user_context(superuser):
+            response = self.client.get(url)
+
+        self.assertEqual(response.status_code, 400)
+        self.assertIn('TextPlugin&quot;&gt;&lt;script&gt;alert(&quot;hello world&quot;)&lt;/script&gt;', response.content.decode("utf-8"))