Skip to content

Commit

Permalink
Escape RSS description as XML
Browse files Browse the repository at this point in the history 
This is to avoid including characters invalid for XML.

Fixes gohugoio#3268
  • Loading branch information
@horgh
horgh committed Oct 8, 2018
1 parent 646a52a commit 0494bc4
Show file tree
Hide file tree
Showing 6 changed files with 25 additions and 5 deletions.
2 changes: 1 addition & 1 deletion docs/content/en/templates/rss.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ This is the default RSS template that ships with Hugo. It adheres to the [RSS 2.
<pubDate>{{ .Date.Format "Mon, 02 Jan 2006 15:04:05 -0700" | safeHTML }}</pubDate>
{{ with .Site.Author.email }}<author>{{.}}{{ with $.Site.Author.name }} ({{.}}){{end}}</author>{{end}}
<guid>{{ .Permalink }}</guid>
<description>{{ .Summary | html }}</description>
<description>{{ .Summary | XML }}</description>
</item>
{{ end }}
</channel>
Expand Down
2 changes: 1 addition & 1 deletion hugolib/site_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -607,7 +607,7 @@ my_param = "baz"
my_date = 2010-05-27T07:32:00Z
categories = [ "hugo" ]
+++
Front Matter with Ordered Pages 4. This is longer content`
Front Matter with Ordered Pages 4. <div>This is longer content with vertical tab: .</div>`

var weightedSources = [][2]string{
{filepath.FromSlash("sect/doc1.md"), weightedPage1},
Expand Down
5 changes: 5 additions & 0 deletions tpl/safe/init.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,11 @@ func init() {
[][2]string{},
)

ns.AddMethodMapping(ctx.XML,
[]string{"XML"},
[][2]string{},
)

return ns

}
Expand Down
15 changes: 15 additions & 0 deletions tpl/safe/safe.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
package safe

import (
"bytes"
"encoding/xml"
"html/template"

"github.com/gohugoio/hugo/helpers"
Expand Down Expand Up @@ -69,3 +71,16 @@ func (ns *Namespace) SanitizeURL(a interface{}) (string, error) {
s, err := cast.ToStringE(a)
return helpers.SanitizeURL(s), err
}

// XML returns a string escaped as XML and flagged to not be escaped as HTML.
func (ns *Namespace) XML(a interface{}) (template.HTML, error) {

This comment has been minimized.

Sign in to view

Copy link
@moorereason

moorereason Oct 9, 2018

This is a great start. If you're up for it, I'll guide you through a few changes and then you can submit a PR. If you don't have time to do this, let me know.

  1. Move this to the transform template namespace instead of safe.
  2. Follow the transform.HTMLEscape example.
  3. Use our bufferpool package instead of bytes.Buffer. Example
  4. Add a new TestXMLEscape func to transform_test.go similar to TestHTMLEscape. You can probably maintain the HTML tests and just add a new one for illegal XML chars.
  5. Before we commit a PR, we'll probably want to add docs to the docs/content/ area.

I'm torn about returning HTML. We may end up just returning a string and forcing the user to pipe through html. Otherwise, people won't be able to use this function in text templates.

This comment has been minimized.

Sign in to view

Copy link
@horgh

horgh Oct 10, 2018

Author Owner

Wow, thanks for the help! You're awesome. I'll definitely try making the changes.

This comment has been minimized.

Sign in to view

Copy link
@horgh

horgh Oct 10, 2018

Author Owner

Yeah, it sounds like returning a regular string would be okay and be the most flexible.

This comment has been minimized.

Sign in to view

Copy link
@horgh

horgh Oct 14, 2018

Author Owner

Sorry for the delay. I made those changes. It works well when I test with a test site.

I still didn't succeed in getting a test working in hugolib/rss_test.go where the vertical tab gets escaped (you can see I changed data it uses in hugolib/site_test.go), but maybe it's okay as is. (I was thinking of having an end to end test).

I think I could make a PR now. What do you think? I can squash before doing that but thought I'd leave it in case it messes up this thread.

Thanks again!
s, err := cast.ToStringE(a)
if err != nil {
return "", err
}
var buf bytes.Buffer
if err := xml.EscapeText(&buf, []byte(s)); err != nil {
return "", err
}
return template.HTML(buf.String()), nil
}
2 changes: 1 addition & 1 deletion tpl/tplimpl/embedded/templates.autogen.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions tpl/tplimpl/embedded/templates/_default/rss.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@
<pubDate>{{ .Date.Format "Mon, 02 Jan 2006 15:04:05 -0700" | safeHTML }}</pubDate>
{{ with .Site.Author.email }}<author>{{.}}{{ with $.Site.Author.name }} ({{.}}){{end}}</author>{{end}}
<guid>{{ .Permalink }}</guid>
<description>{{ .Summary | html }}</description>
<description>{{ .Summary | XML }}</description>
</item>
{{ end }}
</channel>
</rss>
</rss>

0 comments on commit 0494bc4

Please sign in to comment.