From 2bc73e2e36fefc3c1ee1b8e97e686c6729e58dcb Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Mon, 31 Aug 2009 21:51:57 -0700
Subject: Fix XSS vectors in HTML attributes (mostly t() calls)

---
 modules/rss/views/feed.mrss.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'modules/rss/views')

diff --git a/modules/rss/views/feed.mrss.php b/modules/rss/views/feed.mrss.php
index 731703c7..3612cbc0 100644
--- a/modules/rss/views/feed.mrss.php
+++ b/modules/rss/views/feed.mrss.php
@@ -22,25 +22,25 @@
     <lastBuildDate><?= $pub_date ?></lastBuildDate>
     <? foreach ($feed->children as $child): ?>
     <item>
-      <title><?= html::clean($child->title) ?></title>
+      <title><?= html::purify($child->title) ?></title>
       <link><?= url::abs_site("{$child->type}s/{$child->id}") ?></link>
       <guid isPermaLink="true"><?= url::abs_site("{$child->type}s/{$child->id}") ?></guid>
       <pubDate><?= date("D, d M Y H:i:s T", $child->created); ?></pubDate>
       <content:encoded>
         <![CDATA[
-          <span><?= html::clean($child->description) ?></span>
+          <span><?= html::purify($child->description) ?></span>
           <p>
           <? if ($child->type == "photo" || $child->type == "album"): ?>
             <img alt="" src="<?= $child->resize_url(true) ?>"
-                 title="<?= html::clean($child->title) ?>"
+                 title="<?= html::purify($child->title)->for_html_attr() ?>"
                  height="<?= $child->resize_height ?>" width="<?= $child->resize_width ?>" /><br />
           <? else: ?>
             <a href="<?= url::abs_site("{$child->type}s/{$child->id}") ?>">
             <img alt="" src="<?= $child->thumb_url(true) ?>"
-                 title="<?= html::clean($child->title) ?>"
+                 title="<?= html::purify($child->title)->for_html_attr() ?>"
                  height="<?= $child->thumb_height ?>" width="<?= $child->thumb_width ?>" /></a><br />
           <? endif ?>
-            <?= html::clean($child->description) ?>
+            <?= html::purify($child->description) ?>
           </p>
         ]]>
       </content:encoded>
-- 
cgit v1.2.3