Skip to content

Commit

Permalink
Refs #3150 can pass description to RSS page shell
Browse files Browse the repository at this point in the history
  • Loading branch information
@cash
cash committed Nov 17, 2011
1 parent a823e18 commit ba2a853
Showing 1 changed file with 25 additions and 18 deletions.
43 changes: 25 additions & 18 deletions views/rss/page/default.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,13 @@
/**
* Elgg RSS output pageshell
*
* @package Elgg
* @subpackage Core
* @package Elgg.Core
*
* @uses $vars['title'] The title of the RSS feed
* @uses $vars['body'] The items for the RSS feed as a string
* @uses $vars['descrption'] The description for the RSS feed
*/

header("Content-Type: text/xml");

// allow caching as required by stupid MS products for https feeds.
header('Pragma: public', TRUE);

echo "<?xml version='1.0'?>";

// Set title
if (empty($vars['title'])) {
$title = elgg_get_config('sitename');
Expand All @@ -23,17 +19,28 @@
// Remove RSS from URL
$url = str_replace('?view=rss', '', full_url());
$url = str_replace('&view=rss', '', $url);
$url = htmlspecialchars($url, ENT_NOQUOTES, 'UTF-8');

?>
$body = elgg_extract('body', $vars, '');
$description = elgg_extract('description', $vars, '');

<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:georss="http://www.georss.org/georss" <?php echo elgg_view('extensions/xmlns'); ?> >
$namespaces = elgg_view('extensions/xmlns');
$extensions = elgg_view('extensions/channel');


// allow caching as required by stupid MS products for https feeds.
header('Pragma: public', true);
header("Content-Type: text/xml");

echo "<?xml version='1.0'?>";
echo <<<END
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:georss="http://www.georss.org/georss" $namespaces>
<channel>
<title><![CDATA[<?php echo $title; ?>]]></title>
<link><?php echo htmlentities($url); ?></link>
<description></description>
<?php
echo elgg_view('extensions/channel');
echo $vars['body'];
?>
<title><![CDATA[$title]]></title>
<link>$url</link>
<description><![CDATA[$description]]></description>
$extensions
$body
</channel>
</rss>
END;

2 comments on commit ba2a853

@hellekin
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that a way to spook on people? How do you cache encrypted contents? Once per request?

https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=ieinternals&y=2010&m=04&d=21&WeblogPostName=internet-explorer-may-bypass-cache-for-cross-domain-https-content&GroupKeys=

After reading (this blog article on IE Internals)[https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=ieinternals&y=2009&m=10&d=02&WeblogPostName=internet-explorer-cannot-download-over-https-when-no-cache&GroupKeys=], and (that one by the same author)[https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=ieinternals&y=2010&m=04&d=21&WeblogPostName=internet-explorer-may-bypass-cache-for-cross-domain-https-content&GroupKeys=], I'm a bit confused at how IE handles caching. But Cache-Control: public means that the response MAY be cached by any cache, even if it would normally be non-cacheable or cacheable only within a non- shared cache, hence my initial question.

On Firefox, (about:cache?device=disk)[about:cache?device=disk] shows that HTTPS content is cached to disk when Cache-Control: public is set. On IE, says Eric Law in the blogs mentioned above, "you CAN specify Cache-Control: no-store, no-cache and the download will work, but if you specify these directives in the opposite order, it will fail."

Overall, this feature can become a privacy issue on IE and other browsers. Maybe Cache-Control: no-store, no-cache would provide a better solution, privacy-wise, at the cost of additional work for RSS readers.

@cash
Copy link
Contributor Author

@cash cash commented on ba2a853 Nov 17, 2011

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, this commit did not actually add this header override. That's been around since some version of 1.7. We discovered the issue when Outlook users were reporting that they couldn't read RSS feeds from Elgg when the Elgg site was using SSL. That's a common use case for those using Elgg on corporate intranets. Debugging this is a pain since I don't have easy access to Outlook (and really I would need access to the major versions of Outlook - 2003, 2007, etc.). We would need to find test users to evaluate other solutions.

Please sign in to comment.