<summary> in Atom feed does not escape "&" as "&", broken XML entity
Environment
- Installation type (OTP or From Source):
From Source
- Pleroma version (could be found in the "Version" tab of settings in Pleroma-FE):
2.1.2
(with Pleroma-FE ofb225c357
) - Elixir version (
elixir -v
for from source installations, N/A for OTP):Erlang/OTP 23 [erts-11.1.1] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1]
Elixir 1.10.3 (compiled with Erlang/OTP 22)
- Operating system:
Debian bullseye
- PostgreSQL version (
psql -V
):psql (PostgreSQL) 13.0 (Debian 13.0-4)
Bug description
Pleroma does not escape &
as &
within the <summary>
tag on the Atom feed for a post with &
in the Subject/Content Warning.
Steps to reproduce
- Post a public, listed status with a subject of "A & B"
- Fetch the Atom feed for this user
- E.g.
https://example.com/users/ExampleUser/feed.atom
- E.g.
- Try to parse it with an XML parser (tested with PHP's
libxml
and Firefox's XML viewer with RSS Preview)
Expected results
The &
gets escaped to &
within the <summary>
tag, e.g.
<summary>A & B</summary>
Actual results
The &
is passed on without escaping within the <summary>
tag, breaking XML parsing.
<summary>A & B</summary>
PHP's LibXML says:
LibXML error 68 at line ### (column 40): xmlParseEntityRef: no name
Firefox with the RSS Preview extension says:
XML Parsing Error: not well-formed
Location: https://example.com/users/ExampleUser/feed.atom
Line Number ###, Column 40:
Possible fix
Make use of the escape()
function referenced in _author.atom.eex
…
Modifications to _activity.atom.eex
:
<%= if @data["summary"] do %>
- <summary><%= @data["summary"] %></summary>
+ <summary><%= escape(@data["summary"]) %></summary>
<% end %>
Note: Other areas might need escaping applied as well, e.g. the RSS feed templates, which also seemed unable to be parsed at this time (non-namespaced prefixes).