Download & Extend
News Page » Issues

check_plain

Posted by jnorton on April 29, 2008 at 1:55pm
Project:News Page
Version:5.x-1.1
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

Hello,

I had a problem parsing characters using Google's RSS feeds. Basically ampersands were being rendered as &. Ampersands should just render as an & otherwise the output becomes ' whereas it should be '.

At line 421 the module contains: $output .= '<h2 class="feed-item-title">' . check_plain($item->title) . '</h2>';

This isn't good enough at dealing with character entities and could open up an exploit.

So simply change line 421 to: $output .= '<h2 class="feed-item-title">' . filter_xss($item->title, array()) . '</h2>';

This issue was addressed in the original 5.x release of the aggregation module.

See: http://drupal.org/node/61456 for more info.

Thanks,

Justin.

Login or register to post comments

Comments

#1

Posted by Robert Castelo on April 7, 2009 at 11:57pm
Status:active» fixed

Fixed in next version. Also changed markup to h3 instead of h2 as the page title is h2.

#2

Posted by System Message on April 22, 2009 at 12:00am
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.