Change ModelAdmin InspectView to escape any HTML from document titles

wagtail · Apr 3, 2023 · 0d48e50 · 0d48e50
1 parent c906281
commit 0d48e50
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 9 deletions.
diff --git a/wagtail/contrib/modeladmin/tests/test_simple_modeladmin.py b/wagtail/contrib/modeladmin/tests/test_simple_modeladmin.py
@@ -13,6 +13,8 @@
 from wagtail.admin.admin_url_finder import AdminURLFinder
 from wagtail.admin.panels import FieldPanel, TabbedInterface
 from wagtail.contrib.modeladmin.helpers.search import DjangoORMSearchHandler
+from wagtail.documents.models import Document
+from wagtail.documents.tests.utils import get_test_document_file
 from wagtail.images.models import Image
 from wagtail.images.tests.utils import get_test_image_file
 from wagtail.models import Locale, ModelLogEntry, Page
@@ -591,6 +593,20 @@ def test_book_author_present(self):
         response = self.get_for_book(1)
         self.assertContains(response, "J. R. R. Tolkien", 1)
 
+    def test_book_extract_document_html_escaping(self):
+        doc = Document.objects.create(
+            title="Title with <script>alert('XSS')</script>",
+            file=get_test_document_file(),
+        )
+        book = Book.objects.get(title="The Lord of the Rings")
+        book.extract_document = doc
+        book.save()
+        response = self.get_for_book(1)
+        self.assertNotContains(response, "Title with <script>alert('XSS')</script>")
+        self.assertContains(
+            response, "Title with &lt;script&gt;alert(&#x27;XSS&#x27;)&lt;/script&gt;"
+        )
+
     def test_non_existent(self):
         response = self.get_for_book(100)
         self.assertEqual(response.status_code, 404)

diff --git a/wagtail/contrib/modeladmin/views.py b/wagtail/contrib/modeladmin/views.py
@@ -29,8 +29,8 @@
 from django.utils.decorators import method_decorator
 from django.utils.encoding import force_str
 from django.utils.functional import cached_property
+from django.utils.html import format_html
 from django.utils.http import urlencode
-from django.utils.safestring import mark_safe
 from django.utils.text import capfirst
 from django.utils.translation import gettext as _
 from django.utils.translation import gettext_lazy
@@ -1132,14 +1132,12 @@ def get_document_field_display(self, field_name, field):
         """Render a link to a document"""
         document = getattr(self.instance, field_name)
         if document:
-            return mark_safe(
-                '<a href="%s">%s <span class="meta">(%s, %s)</span></a>'
-                % (
-                    document.url,
-                    document.title,
-                    document.file_extension.upper(),
-                    filesizeformat(document.file.size),
-                )
+            return format_html(
+                '<a href="{}">{} <span class="meta">({}, {})</span></a>',
+                document.url,
+                document.title,
+                document.file_extension.upper(),
+                filesizeformat(document.file.size),
             )
         return self.model_admin.get_empty_value_display(field_name)