Skip to content
Permalink
Browse files Browse the repository at this point in the history
Change ChooseParentView to use plain text breadcrumbs for page titles…
…, avoiding stored XSS vector
  • Loading branch information
thibaudcolas authored and gasman committed Apr 3, 2023
1 parent 18d5832 commit 5be2b1e
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 2 deletions.
3 changes: 1 addition & 2 deletions wagtail/contrib/modeladmin/forms.py
@@ -1,5 +1,4 @@
from django import forms
from django.utils.safestring import mark_safe
from django.utils.translation import gettext as _

from wagtail.models import Page
Expand All @@ -12,7 +11,7 @@ def label_from_instance(self, obj):
obj.get_ancestors(inclusive=True).exclude(depth=1).specific(defer=True)
):
bits.append(ancestor.get_admin_display_title())
return mark_safe('<span class="icon icon-arrow-right"></span>'.join(bits))
return " | ".join(bits)


class ParentChooserForm(forms.Form):
Expand Down
15 changes: 15 additions & 0 deletions wagtail/contrib/modeladmin/tests/test_page_modeladmin.py
Expand Up @@ -286,6 +286,21 @@ def test_back_to_listing(self):
"""
self.assertContains(response, expected, html=True)

def test_page_title_html_escaping(self):
homepage = Page.objects.get(url_path="/home/")
business_index = BusinessIndex(
title="Title with <script>alert('XSS')</script>",
)
homepage.add_child(instance=business_index)

response = self.client.get("/admin/tests/businesschild/choose_parent/")

self.assertEqual(response.status_code, 200)
self.assertNotContains(response, "Title with <script>alert('XSS')</script>")
self.assertContains(
response, "Title with &lt;script&gt;alert(&#x27;XSS&#x27;)&lt;/script&gt;"
)


class TestChooseParentViewForNonSuperuser(TestCase, WagtailTestUtils):
fixtures = ["test_specific.json"]
Expand Down

0 comments on commit 5be2b1e

Please sign in to comment.