From d6b5db4a4b77d037508636a8d6c8494b90013f4d Mon Sep 17 00:00:00 2001
From: Skia <skia@libskia.so>
Date: Fri, 24 Feb 2017 04:36:36 +0100
Subject: [PATCH] Sanitize page name

---
 core/models.py                      | 10 +++++++++-
 core/templates/core/page_list.jinja |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/core/models.py b/core/models.py
index 1d2e5879..b5480cc4 100644
--- a/core/models.py
+++ b/core/models.py
@@ -732,7 +732,15 @@ class Page(models.Model):
     Be careful with the _full_name attribute: this field may not be valid until you call save(). It's made for fast
     query, but don't rely on it when playing with a Page object, use get_full_name() instead!
     """
-    name = models.CharField(_('page name'), max_length=30, blank=False)
+    name = models.CharField(_('page unix name'), max_length=30,
+            validators=[
+                validators.RegexValidator(
+                    r'^[\w.+-]+$',
+                    _('Enter a valid page name. This value may contain only '
+                      'letters, numbers ' 'and ./+/-/_ characters.')
+                ),
+            ],
+            blank=False)
     parent = models.ForeignKey('self', related_name="children", verbose_name=_("parent"), null=True, blank=True, on_delete=models.SET_NULL)
     # Attention: this field may not be valid until you call save(). It's made for fast query, but don't rely on it when
     # playing with a Page object, use get_full_name() instead!
diff --git a/core/templates/core/page_list.jinja b/core/templates/core/page_list.jinja
index 0e382ecb..39e9b69f 100644
--- a/core/templates/core/page_list.jinja
+++ b/core/templates/core/page_list.jinja
@@ -9,7 +9,7 @@
 <h3>{% trans %}Page list{% endtrans %}</h3>
 <ul>
     {% for p in page_list %}
-    <li><a href="{{ url('core:page', page_name=p.get_full_name()) }}">{{ p.get_display_name() }}</a></li>
+    <li><a href="{{ p.get_absolute_url() }}">{{ p.get_display_name() }}</a></li>
     {% endfor %}
 </ul>
 {% else %}