Opened 13 years ago
Closed 11 years ago
#17767 closed defect (bug) (fixed)
Anonymous comments can break comments RSS feed
| Reported by: |
dzver
|
Owned by: |
westi
|
|---|---|---|---|
| Milestone: | 3.7 | Priority: | normal |
| Severity: | normal | Version: | 3.2 |
| Component: | Feeds | Keywords: | 3.3-early westi-likes has-patch easy-fix |
| Focuses: | Cc: |
Description
dc:creator and description elements should not be parsed.
Author field that can break RSS:
Аз се казвам Веселин Николов, това е едно много дълго име
Comment text that can break RSS:
–
(and most of the $allowedentitynames)
Attachments (2)
Change History (10)
#1
@
13 years ago
- Component changed from General to Feeds
- Keywords 3.3-early westi-likes added
- Milestone changed from Awaiting Review to Future Release
- Owner set to westi
- Status changed from new to accepted
- Version set to 3.2
#3
@
13 years ago
- Cc markjaquith added
- Keywords 2nd-opinion added
I blamed this back to #929.
I think we should move the ent2ncr calls later to prio 12 instead of 8 which fixes this issue without requiring CDATA'ing.
I would like a 2nd-opinion on this from Mark.
@
@
@Note: See
TracTickets for help on using
tickets.
So the underlying issue here is that we use ent2ncr to convert named entities to numeric ones for XML and then do the HTML escaping which converts
–to–.So we need to apply this CDATA change to all the places we do this in feeds or change the order in which we do this filtering so that the named entities that esc_html santizes too will still be encoded.