<summary> in Atom feed does not escape "&" as "&", broken XML entity
Environment
- Installation type (OTP or From Source):
From Source - Pleroma version (could be found in the "Version" tab of settings in Pleroma-FE):
2.1.2(with Pleroma-FE ofb225c357) - Elixir version (
elixir -vfor from source installations, N/A for OTP):Erlang/OTP 23 [erts-11.1.1] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1]Elixir 1.10.3 (compiled with Erlang/OTP 22)
- Operating system:
Debian bullseye - PostgreSQL version (
psql -V):psql (PostgreSQL) 13.0 (Debian 13.0-4)
Bug description
Pleroma does not escape & as & within the <summary> tag on the Atom feed for a post with & in the Subject/Content Warning.
Steps to reproduce
- Post a public, listed status with a subject of "A & B"
- Fetch the Atom feed for this user
- E.g.
https://example.com/users/ExampleUser/feed.atom
- E.g.
- Try to parse it with an XML parser (tested with PHP's
libxmland Firefox's XML viewer with RSS Preview)
Expected results
The & gets escaped to & within the <summary> tag, e.g.
<summary>A & B</summary>Actual results
The & is passed on without escaping within the <summary> tag, breaking XML parsing.
<summary>A & B</summary>PHP's LibXML says:
LibXML error 68 at line ### (column 40): xmlParseEntityRef: no nameFirefox with the RSS Preview extension says:
XML Parsing Error: not well-formed
Location: https://example.com/users/ExampleUser/feed.atom
Line Number ###, Column 40:Possible fix
Make use of the escape() function referenced in _author.atom.eex…
Modifications to _activity.atom.eex:
<%= if @data["summary"] do %>
- <summary><%= @data["summary"] %></summary>
+ <summary><%= escape(@data["summary"]) %></summary>
<% end %>Note: Other areas might need escaping applied as well, e.g. the RSS feed templates, which also seemed unable to be parsed at this time (non-namespaced prefixes).