Opened 2 years ago
Last modified 6 days ago
#17767 accepted defect (bug)
Anonymous comments can break comments RSS feed
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | Future Release |
| Component: | Feeds | Version: | 3.2 |
| Severity: | normal | Keywords: | 3.3-early westi-likes has-patch |
| Cc: | markjaquith |
Description
dc:creator and description elements should not be parsed.
Author field that can break RSS:
Аз се казвам Веселин Николов, това е едно много дълго име
Comment text that can break RSS:
–
(and most of the $allowedentitynames)
Attachments (2)
Change History (7)
- Component changed from General to Feeds
- Keywords 3.3-early westi-likes added
- Milestone changed from Awaiting Review to Future Release
- Owner set to westi
- Status changed from new to accepted
- Version set to 3.2
- Cc markjaquith added
- Keywords 2nd-opinion added
I blamed this back to #929.
I think we should move the ent2ncr calls later to prio 12 instead of 8 which fixes this issue without requiring CDATA'ing.
I would like a 2nd-opinion on this from Mark.
wonderboymusic — 4 months ago
comment:4
wonderboymusic — 4 months ago
- Keywords 2nd-opinion removed
- Milestone changed from Future Release to 3.6
The original patch added CDATA around <description> and <dc:creator> - <description> was added by Jaquith in [21238], so my freshed patch against trunk just does <dc:creator>
Note: See
TracTickets for help on using
tickets.
So the underlying issue here is that we use ent2ncr to convert named entities to numeric ones for XML and then do the HTML escaping which converts &ndash; to –.
So we need to apply this CDATA change to all the places we do this in feeds or change the order in which we do this filtering so that the named entities that esc_html santizes too will still be encoded.