check_plain
jnorton - April 29, 2008 - 13:55
| Project: | News Page |
| Version: | 5.x-1.1 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
Hello,
I had a problem parsing characters using Google's RSS feeds. Basically ampersands were being rendered as &. Ampersands should just render as an & otherwise the output becomes ' whereas it should be '.
At line 421 the module contains: $output .= '<h2 class="feed-item-title">' . check_plain($item->title) . '</h2>';
This isn't good enough at dealing with character entities and could open up an exploit.
So simply change line 421 to: $output .= '<h2 class="feed-item-title">' . filter_xss($item->title, array()) . '</h2>';
This issue was addressed in the original 5.x release of the aggregation module.
See: http://drupal.org/node/61456 for more info.
Thanks,
Justin.
#1
Fixed in next version. Also changed markup to h3 instead of h2 as the page title is h2.
#2
Automatically closed -- issue fixed for 2 weeks with no activity.