Skip to content

Commit 5be2b1e

Browse files
thibaudcolasgasman
authored andcommitted
Change ChooseParentView to use plain text breadcrumbs for page titles, avoiding stored XSS vector
1 parent 18d5832 commit 5be2b1e

File tree

2 files changed

+16
-2
lines changed

2 files changed

+16
-2
lines changed

Diff for: wagtail/contrib/modeladmin/forms.py

+1-2
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
11
from django import forms
2-
from django.utils.safestring import mark_safe
32
from django.utils.translation import gettext as _
43

54
from wagtail.models import Page
@@ -12,7 +11,7 @@ def label_from_instance(self, obj):
1211
obj.get_ancestors(inclusive=True).exclude(depth=1).specific(defer=True)
1312
):
1413
bits.append(ancestor.get_admin_display_title())
15-
return mark_safe('<span class="icon icon-arrow-right"></span>'.join(bits))
14+
return " | ".join(bits)
1615

1716

1817
class ParentChooserForm(forms.Form):

Diff for: wagtail/contrib/modeladmin/tests/test_page_modeladmin.py

+15
Original file line numberDiff line numberDiff line change
@@ -286,6 +286,21 @@ def test_back_to_listing(self):
286286
"""
287287
self.assertContains(response, expected, html=True)
288288

289+
def test_page_title_html_escaping(self):
290+
homepage = Page.objects.get(url_path="/home/")
291+
business_index = BusinessIndex(
292+
title="Title with <script>alert('XSS')</script>",
293+
)
294+
homepage.add_child(instance=business_index)
295+
296+
response = self.client.get("/admin/tests/businesschild/choose_parent/")
297+
298+
self.assertEqual(response.status_code, 200)
299+
self.assertNotContains(response, "Title with <script>alert('XSS')</script>")
300+
self.assertContains(
301+
response, "Title with &lt;script&gt;alert(&#x27;XSS&#x27;)&lt;/script&gt;"
302+
)
303+
289304

290305
class TestChooseParentViewForNonSuperuser(TestCase, WagtailTestUtils):
291306
fixtures = ["test_specific.json"]

0 commit comments

Comments
 (0)