Searched hist:"53 df38b0e4465894a67a5890f74a6f5f82e827de" (Results 1 – 1 of 1) sorted by relevance
| /dokuwiki/inc/parser/ |
| H A D | xhtml.php | 53df38b0e4465894a67a5890f74a6f5f82e827de Mon May 15 06:06:00 UTC 2023 Andreas Gohr <andi@splitbrain.org> fix XSS in RSS syntax
The title was not correctly escaped when written to the doc in xhtml
renderer.
SimplePie does no content escaping on its own (a comment in the code
seems to suggest that that was assumed). Instead the content is passed
on as-is from the feed.
This patch also applies some more escaping on the description output
(though it should have been relatively safe thanks to the use of
striptags).
This was discovered by @ry0tak and reported in
https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0/
|