Feeling Lucky
?
[#4863] - Fix: & in url of newsfeed not escaped Ref: #4862
- Closed
- 21 Oct 2014
- Medium
- Build: staging
- Easy Test
- # 4863
- Diff
- zero-24:patch-8
- Success The Travis CI build passed Details
Related to
# 4862
User tests: Successful: Unsuccessful:
Steps to reproduce the issue
Make a module "Feed display" and take for eg. this as feed Url: http://www.zdnet.de/feed/
Expected result
The above feed gives URLs like
In line 104 of /modules/mod_feed/tmpl/default
<?php echo $uri; ?>
should be replaced with
<?php preg_replace('/&(?!amp;)/', '&', $uri); ?>
<?php echo $uri; ?>
also in line 66 of the same file.
Actual result
& don't get replaced.
System information (as much as possible)
Joomla! 3.3.6
Additional comments
See: #4862 by @dirk-graetz
jissues-bot
- | Labels |
Added:
?
|
||
| Category | ⇒ | Front End Modules |
| Easy | No | ⇒ | Yes |
| Rel_Number | ⇒ | 4862 | |
| Relation Type | ⇒ | Related to |
dirk-graetz
- 
infograf768
- comment
- 21 Oct 2014
It would give
diff --git a/modules/mod_feed/tmpl/default.php b/modules/mod_feed/tmpl/default.php
index 56f2e2f..ce8732a 100644
--- a/modules/mod_feed/tmpl/default.php
+++ b/modules/mod_feed/tmpl/default.php
@@ -64,5 +64,5 @@
?>
<h2 class="<?php echo $direction; ?>">
- <a href="<?php echo str_replace('&', '&', $rssurl); ?>" target="_blank">
+ <a href="<?php echo htmlspecialchars($rssurl); ?>" target="_blank">
<?php echo $feed->title; ?></a>
</h2>
@@ -102,5 +102,5 @@
<?php if (!empty($uri)) : ?>
<h5 class="feed-link">
- <a href="<?php echo $uri; ?>" target="_blank">
+ <a href="<?php echo htmlspecialchars($uri); ?>" target="_blank">
<?php echo $feed[$i]->title; ?></a></h5>
<?php else : ?>
and solves the issue
zero-24
- comment
- 21 Oct 2014
fixed @infograf768
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2014-10-21 14:29:57 |
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2014-10-21 14:29:58 |
Can't we use here
htmlspecialchars?