Drupal 4.6.4 - XSS filtering: '&' double encoded (as entities) in URLs

I can confirm this bug.

URL:s in aggregator end up like this

function/rss_ArticleView.asp?lng=eng&at_code=296481

when they should look like this. (This is also how they now are saved in the db.)

function/rss_ArticleView.asp?lng=eng&at_code=296481

If I remove the calls to check_url() for $item->link in the functions theme_aggregator_block_item, theme_aggregator_summary_item and theme_aggregator_page_item the links comes out correct.

This make some sense I thinks because the feed items has already been "cleaned" in the aggregator_parse_feed function by filter_xss().

Is this a correct fix?

no. The correct way is _not_ to filter_xss $item['link'] but only check_url it. Why? Because the link is not HTML but a value of HREF attribute and therefore the filter_xss is not appropriate here. Someone would care to submit a patch? :)

I have attached a patch that does this

-      $value = filter_xss($value);
+      if ($key != 'LINK' && $key != 'GUID') {
+        $value = filter_xss($value);
+      }

It fix the problem on my site with no ill effects that I can see.

from a security standpoint of view, I am OK with this change, GUID is only used to replace link and link is check_url'd everywhere.

From an aggregator point of view , i have no idea.

Committed to DRUPAL-4-5 and DRUPAl-4-6. For HEAD, I'd like to move the filtering from 'on input' to 'on output'.