Change ChooseParentView to use plain text breadcrumbs for page titles, avoiding stored XSS vector

wagtail/contrib/modeladmin/forms.py

@@ -1,5 +1,4 @@
 from django import forms
-from django.utils.safestring import mark_safe
 from django.utils.translation import gettext as _
 
 from wagtail.models import Page
@@ -12,7 +11,7 @@ class PageChoiceField(forms.ModelChoiceField):
             obj.get_ancestors(inclusive=True).exclude(depth=1).specific(defer=True)
         ):
             bits.append(ancestor.get_admin_display_title())
-        return mark_safe('<span class="icon icon-arrow-right"></span>'.join(bits))
+        return " | ".join(bits)
 
 
 class ParentChooserForm(forms.Form):

wagtail/contrib/modeladmin/tests/test_page_modeladmin.py

@@ -306,6 +306,21 @@ class TestChooseParentView(WagtailTestUtils, TestCase):
         """
         self.assertContains(response, expected, html=True)
 
+    def test_page_title_html_escaping(self):
+        homepage = Page.objects.get(url_path="/home/")
+        business_index = BusinessIndex(
+            title="Title with <script>alert('XSS')</script>",
+        )
+        homepage.add_child(instance=business_index)
+
+        response = self.client.get("/admin/tests/businesschild/choose_parent/")
+
+        self.assertEqual(response.status_code, 200)
+        self.assertNotContains(response, "Title with <script>alert('XSS')</script>")
+        self.assertContains(
+            response, "Title with &lt;script&gt;alert(&#x27;XSS&#x27;)&lt;/script&gt;"
+        )
+
 
 class TestChooseParentViewForNonSuperuser(WagtailTestUtils, TestCase):
     fixtures = ["test_specific.json"]