Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix XSS in RSS syntax
The title was not correctly escaped when written to the doc in xhtml
renderer.

SimplePie does no content escaping on its own (a comment in the code
seems to suggest that that was assumed). Instead the content is passed
on as-is from the feed.

This patch also applies some more escaping on the description output
(though it should have been relatively safe thanks to the use of
striptags).

This was discovered by @Ry0taK and reported in
https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0/
  • Loading branch information
splitbrain committed May 15, 2023
1 parent 94ce248 commit 53df38b
Showing 1 changed file with 10 additions and 9 deletions.
19 changes: 10 additions & 9 deletions inc/parser/xhtml.php
Expand Up @@ -1280,17 +1280,15 @@ public function rss($url, $params) {
for($x = $start; $x != $end; $x += $mod) {
$item = $feed->get_item($x);
$this->doc .= '<li><div class="li">';
// support feeds without links

$lnkurl = $item->get_permalink();
$title = html_entity_decode($item->get_title(), ENT_QUOTES, 'UTF-8');

// support feeds without links
if($lnkurl) {
// title is escaped by SimplePie, we unescape here because it
// is escaped again in externallink() FS#1705
$this->externallink(
$item->get_permalink(),
html_entity_decode($item->get_title(), ENT_QUOTES, 'UTF-8')
);
$this->externallink($item->get_permalink(), $title);
} else {
$this->doc .= ' '.$item->get_title();
$this->doc .= ' '.hsc($item->get_title());
}
if($params['author']) {
$author = $item->get_author(0);
Expand All @@ -1304,8 +1302,11 @@ public function rss($url, $params) {
$this->doc .= ' ('.$item->get_local_date($conf['dformat']).')';
}
if($params['details']) {
$desc = $item->get_description();
$desc = strip_tags($desc);
$desc = html_entity_decode($desc, ENT_QUOTES, 'UTF-8');
$this->doc .= '<div class="detail">';
$this->doc .= strip_tags($item->get_description());
$this->doc .= hsc($desc);
$this->doc .= '</div>';
}

Expand Down

0 comments on commit 53df38b

Please sign in to comment.