New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Special characters in page title #7859
Comments
@jrief Wouldn't it suffice to add
Obviously, this would open up a vulnerability to scripting attacks. Maybe a custom filter that removes any tags but keeps symbols is the right way to go? (I am thinking of an |
Another thought: |
Unfortunately both of them do not work. Problem is, that the string is already escaped before creating the rendering context. |
As a quick fix (use it as
Still, I would expect |
I found a solution for that problem. It could be solved by applying this patch without sacrificing the security. |
An alternative work-around is to use
|
Shouldn't we disallow HTML tags in the |
Description
If a page title contains special characters, such as
&
, then this character is rendered as HTML-entity, for instance&
.In browser tabs this does not look right.
Steps to reproduce
A & B
as the page title.The browser tab shows
A & B
.Expected behaviour
The browser tab should show
A & B
as page title.Do you want to help fix this issue?
By patching the templatetag
cms.templatetags.cms_tags.PageAttribute
and not escaping the value, this can be fixed easily. However, I don't know what security implications this fix may have.I would exempt escaping the string, whenever the name is
page_title
, just as we do it with values of typedatetime
.Any objections to this?
The text was updated successfully, but these errors were encountered: