Skip to content

Fix: escape XML-unsafe characters in RSS feed#28

Merged
ralyodio merged 1 commit into
profullstack:masterfrom
FuturMix:fix/rss-xml-injection
Jun 15, 2026
Merged

Fix: escape XML-unsafe characters in RSS feed#28
ralyodio merged 1 commit into
profullstack:masterfrom
FuturMix:fix/rss-xml-injection

Conversation

@FuturMix

@FuturMix FuturMix commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes #27

The RSS feed interpolates author names and slugs directly into XML without escaping, producing malformed XML for names with special characters.

Changes

  • apps/web/app/blog/rss.xml/route.ts:
    • Add escapeXml() helper for XML entity escaping
    • Escape author field with escapeXml()
    • Encode slug with encodeURIComponent() in link/guid URLs

Test plan

  • RSS feed with normal authors: renders correctly
  • RSS feed with & in author name: & in output, valid XML
  • RSS feed validates with an XML parser

🤖 Generated with Claude Code

@FuturMix @claude
fix: escape XML-unsafe characters in RSS feed output
fd7d78e 
The RSS feed interpolates author names directly into XML without
escaping. An author name containing < > & or other XML metacharacters
produces malformed XML that breaks RSS readers.

Also encode slug in URLs with encodeURIComponent for safety.

Add an escapeXml helper and apply it to the author field; use
encodeURIComponent for slug in link/guid URLs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ralyodio ralyodio merged commit 5613469 into profullstack:master Jun 15, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: RSS feed XML injection via unescaped author field

2 participants

@FuturMix @ralyodio