[6.0.x] Fixed #36733 -- Escaped attributes in Stylesheet.__str__().

Thanks Mustafa Barakat for the report, Baptiste Mispelon for
the triage, and Jake Howard for the review.

Backport of e05f2a75695b5f5faa7682d4053db4776d4d6f93 from main.

1 files changed, 15 insertions, 1 deletions

diff --git a/tests/utils_tests/test_feedgenerator.py b/tests/utils_tests/test_feedgenerator.py
index 28a1afc96e..65e1faae6c 100644
--- a/tests/utils_tests/test_feedgenerator.py
+++ b/tests/utils_tests/test_feedgenerator.py
@@ -156,6 +156,20 @@ class FeedgeneratorTests(SimpleTestCase):
         stylesheet = feedgenerator.Stylesheet(SimpleLazyObject(m))
         m.assert_not_called()
         self.assertEqual(
-            str(stylesheet), 'href="test.css" type="text/css" media="screen"'
+            str(stylesheet), 'href="test.css" media="screen" type="text/css"'
         )
         m.assert_called_once()
+
+    def test_stylesheet_attribute_escaping(self):
+        style = feedgenerator.Stylesheet(
+            url='http://example.com/style.css?foo="bar"&baz=<>',
+            mimetype='text/css; charset="utf-8"',
+            media='screen and (max-width: "600px")',
+        )
+
+        self.assertEqual(
+            str(style),
+            'href="http://example.com/style.css?foo=%22bar%22&amp;baz=%3C%3E" '
+            'media="screen and (max-width: &quot;600px&quot;)" '
+            'type="text/css; charset=&quot;utf-8&quot;"',
+        )