From 3a4508a07b60ffb488faa7c1d3b04464d1c79b9a Mon Sep 17 00:00:00 2001
From: Github Release Action <info@django-cms.org>
Date: Mon, 11 Nov 2024 21:29:24 +0100
Subject: [PATCH 1/2] Fix: XSS vulnerability for page title

---
 cms/api.py                     |  2 +-
 cms/templatetags/cms_tags.py   |  4 +---
 cms/tests/test_templatetags.py | 12 ++++++++----
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/cms/api.py b/cms/api.py
index b8dd8dab10f..207a3d7950f 100644
--- a/cms/api.py
+++ b/cms/api.py
@@ -136,7 +136,7 @@ def create_page(title, template, language, menu_title=None, slug=None,
                 xframe_options=constants.X_FRAME_OPTIONS_INHERIT):
     """
     Creates a :class:`cms.models.Page` instance and returns it. Also
-    creates a :class:`cms.models.Title` instance for the specified
+    creates a :class:`cms.models.PageContent` instance for the specified
     language.
 
     .. warning::
diff --git a/cms/templatetags/cms_tags.py b/cms/templatetags/cms_tags.py
index f8e8472a497..675c4353cb6 100644
--- a/cms/templatetags/cms_tags.py
+++ b/cms/templatetags/cms_tags.py
@@ -441,9 +441,7 @@ def get_value(self, context, name, page_lookup):
         if page and name in self.valid_attributes:
             func = getattr(page, "get_%s" % name)
             ret_val = func(language=lang, fallback=True)
-            if name == 'page_title':
-                 ret_val = strip_tags(ret_val)
-            elif not isinstance(ret_val, datetime):
+            if not isinstance(ret_val, datetime):
                 ret_val = escape(ret_val)
             return ret_val
         return ''
diff --git a/cms/tests/test_templatetags.py b/cms/tests/test_templatetags.py
index 42588ffa8ee..e0aae1baab6 100644
--- a/cms/tests/test_templatetags.py
+++ b/cms/tests/test_templatetags.py
@@ -11,7 +11,7 @@
 from django.test import RequestFactory
 from django.test.utils import override_settings
 from django.utils.encoding import force_str
-from django.utils.html import strip_tags
+from django.utils.html import strip_tags, escape
 from django.utils.timezone import now
 from django.utils.translation import override as force_language
 from djangocms_text_ckeditor.cms_plugins import TextPlugin
@@ -139,6 +139,7 @@ def test_unicode_placeholder_name_fails_fast(self):
     def test_page_attribute_tag_escapes_content(self):
         script = '<script>alert("XSS");</script>'
         ampersand = 'Q&A page'
+        partial = '"><img src=x onerror=alert(1) "'
 
         class FakePage:
             def __init__(self, title):
@@ -159,11 +160,14 @@ def __init__(self, page):
         template = '{% load cms_tags %}{% page_attribute page_title %}'
         output_script = self.render_template_obj(template, {}, request_script)
         output_ampersand = self.render_template_obj(template, {}, request_ampersand)
+        output_partial = self.render_template_obj(template, {}, FakeRequest(FakePage(partial)))
 
         self.assertNotEqual(script, output_script)
-        self.assertEqual(ampersand, output_ampersand)
-        self.assertEqual(strip_tags(script), output_script)
-        self.assertEqual(strip_tags(ampersand), output_ampersand)
+        self.assertNotEqual(ampersand, output_ampersand)
+        self.assertNotEqual(partial, output_partial)
+        self.assertEqual(escape(script), output_script)
+        self.assertEqual(escape(ampersand), output_ampersand)
+        self.assertEqual(escape(partial), output_partial)
 
     def test_json_encoder(self):
         self.assertEqual(json_filter(True), 'true')

From f89cc87a9e304020d0a238477bb34103f76b5bf9 Mon Sep 17 00:00:00 2001
From: Github Release Action <info@django-cms.org>
Date: Mon, 11 Nov 2024 21:38:01 +0100
Subject: [PATCH 2/2] fix linting

---
 cms/tests/test_templatetags.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/cms/tests/test_templatetags.py b/cms/tests/test_templatetags.py
index e0aae1baab6..0f7ef16a696 100644
--- a/cms/tests/test_templatetags.py
+++ b/cms/tests/test_templatetags.py
@@ -11,11 +11,10 @@
 from django.test import RequestFactory
 from django.test.utils import override_settings
 from django.utils.encoding import force_str
-from django.utils.html import strip_tags, escape
+from django.utils.html import escape
 from django.utils.timezone import now
 from django.utils.translation import override as force_language
 from djangocms_text_ckeditor.cms_plugins import TextPlugin
-from djangocms_text_ckeditor.models import Text
 from sekizai.context import SekizaiContext
 
 import cms