If you have your RSS feeds configured to output the full text of nodes, and you use views_rss to generate an RSS feed, the feed will have the raw body content of the nodes in the feed. However, the body content ought to have input filters applied.

To reproduce, set the RSS settings to include full-text (rather than just the teaser). Then look at the default frontpage view's feed, which is at frontpage/feed. The feed's items will have been output without input filtering.

This is a security bug, because it enables stored cross-site scripting attacks. Consider, if you have a site in which users may register and submit content all without prior approval. A malicious user could submit content with malicious JavaScript (or some other malicious code), which would then be transmitted, unfiltered, via any views RSS feeds. Any user who happens to look at the feed would have the malicious code run in his browser.

The fix is trivial. The return value of node_invoke() needs to be assigned to the output object, thusly:

142c142
< node_invoke($item, 'view', $teaser, FALSE);
---
> $item = node_invoke($item, 'view', $teaser, FALSE);

-TimK

CommentFileSizeAuthor
#1 views_rss.module.HEAD_.patch570 bytesgnassar
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

gnassar’s picture

gnassar CreditAttribution: gnassar commented
Status: Active » Needs review
FileSize
views_rss.module.HEAD_.patch570 bytes

Had the same problem. TimK's patch seems to have fixed it. Nice catch!

Went ahead and made up a patch for it.

gnassar’s picture

gnassar CreditAttribution: gnassar commented
Status: Needs review » Reviewed & tested by the community

As a security bug, it'd be nice to get this into HEAD before the 6 freeze, I imagine, for any future branching.

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented
Status: Reviewed & tested by the community » Fixed

Committed to -dev! Thanks!

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)
rfay’s picture

rfay
Primary language English
Location Palisade, CO, USA
CreditAttribution: rfay commented
Version: 5.x-1.6-beta5 » 5.x-1.6
Status: Closed (fixed) » Active

Although the CHANGELOG.txt for views 5.x-1.6 says that this patch was applied, it was not, and this bug still exists in 5.x-1.6.

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented
Status: Active » Reviewed & tested by the community
esmerel’s picture

esmerel CreditAttribution: esmerel commented
Status: Reviewed & tested by the community » Closed (won't fix)

At this time, only security fixes will be made to the 5.x version of Views.