summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Tänzer <neo@nhng.de>2013-08-14 22:45:32 +0200
committerMichael Tänzer <neo@nhng.de>2013-08-14 22:45:32 +0200
commitbf5344ce04b8f37b658f481a09f1742f84c182a3 (patch)
tree7314050b7a2538733d41a1b959a30ae4aa5b0dd9
parentae73936f64df57d277ed3efda12dcb5cad1ddbf1 (diff)
downloadcacert-devel-bf5344ce04b8f37b658f481a09f1742f84c182a3.tar.gz
cacert-devel-bf5344ce04b8f37b658f481a09f1742f84c182a3.tar.xz
cacert-devel-bf5344ce04b8f37b658f481a09f1742f84c182a3.zip
bug 1190: RSS may contain HTML markup => decode it and then encode it again
Signed-off-by: Michael Tänzer <neo@nhng.de>
-rw-r--r--pages/index/0.php8
1 files changed, 7 insertions, 1 deletions
diff --git a/pages/index/0.php b/pages/index/0.php
index a2c2e5a..db46673 100644
--- a/pages/index/0.php
+++ b/pages/index/0.php
@@ -53,7 +53,13 @@
$query = "./description";
$nodeList = $xpath->query($query, $item);
- $description = recode_string("UTF8..html" , $nodeList->item(0)->nodeValue);
+ $description = $nodeList->item(0)->nodeValue;
+ // The description may contain HTML entities => convert them
+ $description = html_entity_decode($description, ENT_COMPAT | ENT_HTML401, 'UTF-8');
+ // Description may contain HTML markup and unicode characters => encode them
+ // If we didn't decode and then encode again, (i.e. take the content
+ // as it is in the RSS feed) we might inject harmful markup
+ $description = recode_string("UTF8..html", $description);
printf("<h3> %s </h3>\n", $title);
printf("<p> %s </p>\n", $description);