Views_rss doesn't apply input filters to fulltext output
| Project: | Views |
| Version: | 5.x-1.6 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | reviewed & tested by the community |
If you have your RSS feeds configured to output the full text of nodes, and you use views_rss to generate an RSS feed, the feed will have the raw body content of the nodes in the feed. However, the body content ought to have input filters applied.
To reproduce, set the RSS settings to include full-text (rather than just the teaser). Then look at the default frontpage view's feed, which is at frontpage/feed. The feed's items will have been output without input filtering.
This is a security bug, because it enables stored cross-site scripting attacks. Consider, if you have a site in which users may register and submit content all without prior approval. A malicious user could submit content with malicious JavaScript (or some other malicious code), which would then be transmitted, unfiltered, via any views RSS feeds. Any user who happens to look at the feed would have the malicious code run in his browser.
The fix is trivial. The return value of node_invoke() needs to be assigned to the output object, thusly:
142c142
< node_invoke($item, 'view', $teaser, FALSE);
---
> $item = node_invoke($item, 'view', $teaser, FALSE);
-TimK
#1
Had the same problem. TimK's patch seems to have fixed it. Nice catch!
Went ahead and made up a patch for it.
#2
As a security bug, it'd be nice to get this into HEAD before the 6 freeze, I imagine, for any future branching.
#3
Committed to -dev! Thanks!
#4
#5
Although the CHANGELOG.txt for views 5.x-1.6 says that this patch was applied, it was not, and this bug still exists in 5.x-1.6.
#6