Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • pleroma pleroma
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 655
    • Issues 655
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 100
    • Merge requests 100
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • PleromaPleroma
  • pleromapleroma
  • Issues
  • #2291
Closed
Open
Issue created Nov 06, 2020 by Shane S.@digitalcircuit

<summary> in Atom feed does not escape "&" as "&amp;", broken XML entity

Environment

  • Installation type (OTP or From Source): From Source
  • Pleroma version (could be found in the "Version" tab of settings in Pleroma-FE): 2.1.2 (with Pleroma-FE of b225c357)
  • Elixir version (elixir -v for from source installations, N/A for OTP):
    • Erlang/OTP 23 [erts-11.1.1] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1]
    • Elixir 1.10.3 (compiled with Erlang/OTP 22)
  • Operating system: Debian bullseye
  • PostgreSQL version (psql -V): psql (PostgreSQL) 13.0 (Debian 13.0-4)

Bug description

Pleroma does not escape & as &amp; within the <summary> tag on the Atom feed for a post with & in the Subject/Content Warning.

Steps to reproduce

  1. Post a public, listed status with a subject of "A & B"
  2. Fetch the Atom feed for this user
    • E.g. https://example.com/users/ExampleUser/feed.atom
  3. Try to parse it with an XML parser (tested with PHP's libxml and Firefox's XML viewer with RSS Preview)

Expected results

The & gets escaped to &amp; within the <summary> tag, e.g.

<summary>A &amp; B</summary>

Actual results

The & is passed on without escaping within the <summary> tag, breaking XML parsing.

<summary>A & B</summary>

PHP's LibXML says:

LibXML error 68 at line ### (column 40): xmlParseEntityRef: no name

Firefox with the RSS Preview extension says:

XML Parsing Error: not well-formed
Location: https://example.com/users/ExampleUser/feed.atom
Line Number ###, Column 40:

Possible fix

Make use of the escape() function referenced in _author.atom.eex…

Modifications to _activity.atom.eex:

   <%= if @data["summary"] do %>
-    <summary><%= @data["summary"] %></summary>
+    <summary><%= escape(@data["summary"]) %></summary>
   <% end %>

Note: Other areas might need escaping applied as well, e.g. the RSS feed templates, which also seemed unable to be parsed at this time (non-namespaced prefixes).

Assignee
Assign to
Time tracking