Correctly encode html in rss feed

2 files changed, 7 insertions, 3 deletions

diff --git a/NEWS b/NEWS
index 7a50cd5..27ceb18 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,6 @@
+
+- correctly encode html in rss feed
+
 Version 0.14
 
 - set ENCODING when creating templates
diff --git a/tmpl/advisory_item.rss b/tmpl/advisory_item.rss
index 244db78..99c73d8 100644
--- a/tmpl/advisory_item.rss
+++ b/tmpl/advisory_item.rss
@@ -1,6 +1,7 @@
+[%- USE HTML -%]
 [% SET advisory = advdb.advisories.$adv -%]
         <item>
-            <title>[% adv %] - [% advisory.subject %]</title>
+            <title>[% adv %] - [% HTML.escape(advisory.subject) %]</title>
             <link>[% config.site_url %]/[% basename.ID(adv) %].html</link>
             <guid isPermaLink="false">[% adv %]</guid>
             <pubDate>[% date.format(advisory.status.published, format => '%a, %d %b %Y %H:%M:%S', gmt => 1) %] GMT</pubDate>
@@ -30,13 +31,13 @@
 
         &lt;h2&gt;Description&lt;/h2&gt;
         &lt;pre&gt;
-        [%- advisory.description -%]
+        [%- HTML.escape(advisory.description) -%]
         &lt;/pre&gt;
 
         &lt;h2&gt;References&lt;/h2&gt;
         &lt;ul&gt;
             [% FOREACH ref IN advisory.references -%]
-            &lt;li&gt;&lt;a href="[% ref %]"&gt;[% ref %]&lt;/a&gt;&lt;/li&gt;
+            &lt;li&gt;&lt;a href="[% HTML.escape(ref) %]"&gt;[% HTML.escape(ref) %]&lt;/a&gt;&lt;/li&gt;
             [% END %]
             [%- IF advisory.CVE -%]
             [%- FOREACH cve IN advisory.CVE.list -%]