Hello,

I had a problem parsing characters using Google's RSS feeds. Basically ampersands were being rendered as &. Ampersands should just render as an & otherwise the output becomes ' whereas it should be '.

At line 421 the module contains: $output .= '<h2 class="feed-item-title">' . check_plain($item->title) . '</h2>';

This isn't good enough at dealing with character entities and could open up an exploit.

So simply change line 421 to: $output .= '<h2 class="feed-item-title">' . filter_xss($item->title, array()) . '</h2>';

This issue was addressed in the original 5.x release of the aggregation module.

See: http://drupal.org/node/61456 for more info.

Thanks,

Justin.

Comments

robert castelo’s picture

Status: Active » Fixed

Fixed in next version. Also changed markup to h3 instead of h2 as the page title is h2.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.