Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Special characters in page title #7859

Open
1 of 2 tasks
jrief opened this issue Mar 27, 2024 · 7 comments
Open
1 of 2 tasks

[BUG] Special characters in page title #7859

jrief opened this issue Mar 27, 2024 · 7 comments

Comments

@jrief
Copy link
Contributor

jrief commented Mar 27, 2024

Description

If a page title contains special characters, such as &, then this character is rendered as HTML-entity, for instance &.
In browser tabs this does not look right.

Steps to reproduce

  • Create a page template where the page title is used. This usually is done by adding
<meta>
  {% page_attribute "page_title" as page_title %}
  <title>{{ page_title}}</title></meta>
  • Create or edit a page and use A & B as the page title.
  • Load the page.

The browser tab shows A &amp; B.

Expected behaviour

The browser tab should show A & B as page title.

Do you want to help fix this issue?

By patching the templatetag cms.templatetags.cms_tags.PageAttribute and not escaping the value, this can be fixed easily. However, I don't know what security implications this fix may have.

I would exempt escaping the string, whenever the name is page_title, just as we do it with values of type datetime.

Any objections to this?

  • Yes, I want to help fix this issue and I will join #workgroup-pr-review on Slack to confirm with the community that a PR is welcome.
  • No, I only want to report the issue.
@fsbraun
Copy link
Sponsor Member

fsbraun commented Mar 27, 2024
edited

@jrief Wouldn't it suffice to add safe?

<meta>
  {% page_attribute "page_title" as page_title %}
  <title>{{ page_title|safe }}</title>
  …
</meta>

Obviously, this would open up a vulnerability to scripting attacks. Maybe a custom filter that removes any tags but keeps symbols is the right way to go? (I am thinking of an escape like filter that keeps the ampersand and quote symbols. Not sure, though, which malicious things you could do with that.)

@fsbraun
Copy link
Sponsor Member

fsbraun commented Mar 27, 2024

Another thought: <title>{{ page_title|striptags }}</title>?

@jrief
Copy link
Contributor Author

jrief commented Mar 27, 2024
edited

Unfortunately both of them do not work.

Problem is, that the string is already escaped before creating the rendering context.
This could be circumvented by unescaping that string again. However, Django does not provide any template filter for this.

@fsbraun
Copy link
Sponsor Member

fsbraun commented Mar 27, 2024
edited

As a quick fix (use it as ...|unescape|safe):

def unescape(value): 
    """Unescapes ampersands"""
    return str(value).replace("&amp;","&")

Still, I would expect page_attribute to deliver unescaped strings, which Django would autoescape if no safe filter is added. I'll have a look at the code...

jrief added a commit to jrief/django-cms that referenced this issue Apr 5, 2024
@jrief
fix django-cms#7859: allow special characters in page title
3750ae3
@jrief
Copy link
Contributor Author

jrief commented Apr 5, 2024
edited

I found a solution for that problem. It could be solved by applying this patch without sacrificing the security.

jrief added a commit to jrief/django-cms that referenced this issue Apr 9, 2024
@jrief
fix django-cms#7859: allow special characters in page title
2d8ed15
@jrief jrief mentioned this issue Apr 9, 2024
Open
4 tasks
jrief added a commit to jrief/django-cms that referenced this issue Apr 9, 2024
@jrief
fix django-cms#7859: allow special characters in page title
a17fe19
fsbraun added a commit to fsbraun/djangocms-frontend that referenced this issue Apr 9, 2024
@fsbraun
Fix: Use striptags for page title to preserve ampersand (django-cms/d…
c746272 
…jango-cms#7859)
@fsbraun fsbraun mentioned this issue Apr 9, 2024
Merged
@fsbraun
Copy link
Sponsor Member

fsbraun commented Apr 9, 2024

An alternative work-around is to use

<meta>
  <title>{{ request.current_page.get_paget_title|striptags }}</title>
  …
</meta>

@jrief
Copy link
Contributor Author

jrief commented Apr 12, 2024

<title>{{ request.current_page.get_page_title|striptags }}</title> is quite a lot of inderiction for an object for which we already have a canonical handle.

Shouldn't we disallow HTML tags in the title-field in the clean()-method before saving rather then on rendering?

fsbraun added a commit to jrief/django-cms that referenced this issue May 16, 2024
@fsbraun
Merge branch 'develop-4' into fix/django-cmsgh-7859-special-chars-in-…
81f788e 
…page-title
fsbraun added a commit to jrief/django-cms that referenced this issue May 21, 2024
@fsbraun
Merge branch 'develop-4' into fix/django-cmsgh-7859-special-chars-in-…
c59d3ec 
…page-title
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrief @fsbraun