Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
The title was not correctly escaped when written to the doc in xhtml renderer. SimplePie does no content escaping on its own (a comment in the code seems to suggest that that was assumed). Instead the content is passed on as-is from the feed. This patch also applies some more escaping on the description output (though it should have been relatively safe thanks to the use of striptags). This was discovered by @Ry0taK and reported in https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0/
- Loading branch information