diff options
author | Michael Tänzer <neo@nhng.de> | 2013-08-14 22:45:32 +0200 |
---|---|---|
committer | Michael Tänzer <neo@nhng.de> | 2013-08-14 22:45:32 +0200 |
commit | bf5344ce04b8f37b658f481a09f1742f84c182a3 (patch) | |
tree | 7314050b7a2538733d41a1b959a30ae4aa5b0dd9 | |
parent | ae73936f64df57d277ed3efda12dcb5cad1ddbf1 (diff) | |
download | cacert-devel-bf5344ce04b8f37b658f481a09f1742f84c182a3.tar.gz cacert-devel-bf5344ce04b8f37b658f481a09f1742f84c182a3.tar.xz cacert-devel-bf5344ce04b8f37b658f481a09f1742f84c182a3.zip |
bug 1190: RSS may contain HTML markup => decode it and then encode it again
Signed-off-by: Michael Tänzer <neo@nhng.de>
-rw-r--r-- | pages/index/0.php | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/pages/index/0.php b/pages/index/0.php index a2c2e5a..db46673 100644 --- a/pages/index/0.php +++ b/pages/index/0.php @@ -53,7 +53,13 @@ $query = "./description"; $nodeList = $xpath->query($query, $item); - $description = recode_string("UTF8..html" , $nodeList->item(0)->nodeValue); + $description = $nodeList->item(0)->nodeValue; + // The description may contain HTML entities => convert them + $description = html_entity_decode($description, ENT_COMPAT | ENT_HTML401, 'UTF-8'); + // Description may contain HTML markup and unicode characters => encode them + // If we didn't decode and then encode again, (i.e. take the content + // as it is in the RSS feed) we might inject harmful markup + $description = recode_string("UTF8..html", $description); printf("<h3> %s </h3>\n", $title); printf("<p> %s </p>\n", $description); |