From 408df36c0b380b57ba8f25cd10fd45a355b0191b Mon Sep 17 00:00:00 2001
From: Alex Schroeder <alex@gnu.org>
Date: Sun, 2 Aug 2015 22:18:02 +0200
Subject: [PATCH] Fix XSS attack in RSS feeds

If the page content is not printed, then the page summary is plain text.
In other words, it needs to be HTML-quoted.
---
 t/xss.t | 4 +++-
 wiki.pl | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/t/xss.t b/t/xss.t
index ce7d263f..bda06d29 100644
--- a/t/xss.t
+++ b/t/xss.t
@@ -14,9 +14,11 @@
 
 require 't/test.pl';
 package OddMuse;
-use Test::More tests => 2;
+use Test::More tests => 3;
 
 test_page(update_page('Test', 'Content is saved', '<xss>'),
           'Content is saved');
 test_page(get_page('action=browse id=Test diff=1'),
           '&lt;xss&gt;');
+test_page(get_page('action=rss'),
+          '&amp;lt;xss&amp;gt;');
diff --git a/wiki.pl b/wiki.pl
index 5590fd84..8d42674a 100755
--- a/wiki.pl
+++ b/wiki.pl
@@ -1909,6 +1909,8 @@ sub RssItem {
   my $name = ItemName($id);
   if (GetParam('full', 0)) { # full page means summary is not shown
     $summary = PageHtml($id, 50 * 1024, T('This page is too big to send over RSS.'));
+  } else {
+    $summary = QuoteHtml($summary); # page summary must be quoted
   }
   my $date = TimeToRFC822($ts);
   $username = QuoteHtml($username);