From 53df38b0e4465894a67a5890f74a6f5f82e827de Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Mon, 15 May 2023 08:06:00 +0200
Subject: [PATCH] fix XSS in RSS syntax

The title was not correctly escaped when written to the doc in xhtml
renderer.

SimplePie does no content escaping on its own (a comment in the code
seems to suggest that that was assumed). Instead the content is passed
on as-is from the feed.

This patch also applies some more escaping on the description output
(though it should have been relatively safe thanks to the use of
striptags).

This was discovered by @ry0tak and reported in
https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0/
---
 inc/parser/xhtml.php | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index acf973fab3..ba7ec51a9b 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -1280,17 +1280,15 @@ public function rss($url, $params) {
             for($x = $start; $x != $end; $x += $mod) {
                 $item = $feed->get_item($x);
                 $this->doc .= '<li><div class="li">';
-                // support feeds without links
+
                 $lnkurl = $item->get_permalink();
+                $title = html_entity_decode($item->get_title(), ENT_QUOTES, 'UTF-8');
+
+                // support feeds without links
                 if($lnkurl) {
-                    // title is escaped by SimplePie, we unescape here because it
-                    // is escaped again in externallink() FS#1705
-                    $this->externallink(
-                        $item->get_permalink(),
-                        html_entity_decode($item->get_title(), ENT_QUOTES, 'UTF-8')
-                    );
+                    $this->externallink($item->get_permalink(), $title);
                 } else {
-                    $this->doc .= ' '.$item->get_title();
+                    $this->doc .= ' '.hsc($item->get_title());
                 }
                 if($params['author']) {
                     $author = $item->get_author(0);
@@ -1304,8 +1302,11 @@ public function rss($url, $params) {
                     $this->doc .= ' ('.$item->get_local_date($conf['dformat']).')';
                 }
                 if($params['details']) {
+                    $desc = $item->get_description();
+                    $desc = strip_tags($desc);
+                    $desc = html_entity_decode($desc, ENT_QUOTES, 'UTF-8');
                     $this->doc .= '<div class="detail">';
-                    $this->doc .= strip_tags($item->get_description());
+                    $this->doc .= hsc($desc);
                     $this->doc .= '</div>';
                 }