Invalid XML character is able to be pasted into editor and crashes edit page

BUG/PROBLEM REPORT (OR OTHER COMMON ISSUE)

Plone 5.2 (not a problem in 6!)

Unable to load the edit page after it is saved with \x0b (vertical tab)

What I did:

We need to be able to copy the rendered character to paste it into the page. One way to do that is this line of python: print('foo\0xbbar') and copy the results. Create a Page, open the source code modal, paste and save.

What I expect to happen:

View page loads. Edit page loads.

What actually happened:

View page loaded. Edit page errored

Traceback (innermost last):
  Module ZPublisher.WSGIPublisher, line 162, in transaction_pubevents
  Module ZPublisher.WSGIPublisher, line 371, in publish_module
  Module ZPublisher.WSGIPublisher, line 266, in publish
  Module ZPublisher.mapply, line 85, in mapply
  Module ZPublisher.WSGIPublisher, line 63, in call_object
  Module plone.z3cform.layout, line 63, in __call__
  Module plone.z3cform.layout, line 57, in update
  Module z3c.form.form, line 162, in render
  Module zope.browserpage.viewpagetemplatefile, line 46, in __call__
  Module zope.pagetemplate.pagetemplate, line 133, in pt_render
  Module Products.PageTemplates.engine, line 378, in __call__
  Module z3c.pt.pagetemplate, line 176, in render
  Module chameleon.zpt.template, line 302, in render
  Module chameleon.template, line 192, in render
  Module bbf8c73a38c2ba5d0810cd84a09effc7, line 115, in render
  Module a3ed0fc6fc55f2c1688cd346a456e364, line 936, in render_titlelessform
  Module a3ed0fc6fc55f2c1688cd346a456e364, line 1242, in render_fields
  Module a3ed0fc6fc55f2c1688cd346a456e364, line 1779, in render_widget_rendering
  Module a3ed0fc6fc55f2c1688cd346a456e364, line 1886, in render_field
  Module zope.tales.expressions, line 250, in __call__
  Module Products.PageTemplates.Expressions, line 225, in _eval
  Module Products.PageTemplates.Expressions, line 155, in render
  Module zope.browserpage.simpleviewclass, line 41, in __call__
  Module zope.browserpage.viewpagetemplatefile, line 81, in __call__
  Module zope.browserpage.viewpagetemplatefile, line 46, in __call__
  Module zope.pagetemplate.pagetemplate, line 133, in pt_render
  Module Products.PageTemplates.engine, line 378, in __call__
  Module z3c.pt.pagetemplate, line 176, in render
  Module chameleon.zpt.template, line 302, in render
  Module chameleon.template, line 215, in render
  Module chameleon.utils, line 53, in raise_with_traceback
  Module chameleon.template, line 192, in render
  Module 1710706600c80dca20fe54a4e7934721, line 586, in render
  Module 1710706600c80dca20fe54a4e7934721, line 456, in render_widget_wrapper
  Module zope.tales.expressions, line 250, in __call__
  Module Products.PageTemplates.Expressions, line 225, in _eval
  Module Products.PageTemplates.Expressions, line 155, in render
  Module plone.app.z3cform.widget, line 744, in render
  Module plone.app.z3cform.widget, line 819, in tinymce_richtextwidget_render
  Module plone.app.z3cform.widget, line 769, in render_input_mode
  Module plone.app.widgets.base, line 334, in __init__
  Module plone.app.widgets.base, line 348, in _set_value
  Module lxml.etree, line 1039, in lxml.etree._Element.text.__set__
  Module lxml.etree, line 747, in lxml.etree._setNodeText
  Module lxml.etree, line 735, in lxml.etree._createTextNode
  Module lxml.etree, line 1540, in lxml.etree._utf8
ValueError: All strings must be XML compatible: Unicode or ASCII, no NULL bytes or control character

What version of Plone/ Addons I am using:

Plone 5.2, no addons. I also tested on the Plone 6 demo site and it was not a problem there.

I'm not sure if this was actually fixed in Plone or if it's some filtering done by TinyMCE. If there was a change in Plone 6 to fix this, we should back port. If it was just fixed by virtue of a TinyMCE update it would be good to fix this for Plone 5 in some way. Maybe the rich text widget should strip any invalid XML characters?

plone / Products.CMFPlone