Closed (fixed)
Project:
News Page
Version:
5.x-1.1
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
29 Apr 2008 at 13:55 UTC
Updated:
22 Apr 2009 at 00:00 UTC
Hello,
I had a problem parsing characters using Google's RSS feeds. Basically ampersands were being rendered as &. Ampersands should just render as an & otherwise the output becomes ' whereas it should be '.
At line 421 the module contains: $output .= '<h2 class="feed-item-title">' . check_plain($item->title) . '</h2>';
This isn't good enough at dealing with character entities and could open up an exploit.
So simply change line 421 to: $output .= '<h2 class="feed-item-title">' . filter_xss($item->title, array()) . '</h2>';
This issue was addressed in the original 5.x release of the aggregation module.
See: http://drupal.org/node/61456 for more info.
Thanks,
Justin.
Comments
Comment #1
robert castelo commentedFixed in next version. Also changed markup to h3 instead of h2 as the page title is h2.