Merge pull request #767 from sebgie/issue#715

Escape RSS post title
2024-11-24 06:35:49 +03:00 · 2013-09-16 06:34:11 -07:00 · 2013-09-16 06:34:11 -07:00 · 84e84b0612
commit 84e84b0612
parent cefa0e14ef 141361c40e
2 changed files with 57 additions and 37 deletions
--- a/core/server/controllers/frontend.js
+++ b/core/server/controllers/frontend.js
@ -7,6 +7,7 @@
 var Ghost = require('../../ghost'),
    api = require('../api'),
    RSS = require('rss'),
+    _ = require('underscore'),

    ghost = new Ghost(),
    frontendControllers;
@ -66,17 +67,19 @@ frontendControllers = {
    'rss': function (req, res) {
        // Initialize RSS
        var siteUrl = ghost.config().url,
+            pageParam = req.params.page !== undefined ? parseInt(req.params.page, 10) : 1,
+            feed;
+        //needs refact for multi user to not use first user as default
+        api.users.read({id : 1}).then(function (user) {
            feed = new RSS({
                title: ghost.settings('title'),
                description: ghost.settings('description'),
                generator: 'Ghost v' + res.locals.version,
-                author: ghost.settings('author'),
+                author: user.attributes.name,
                feed_url: siteUrl + '/rss/',
                site_url: siteUrl,
                ttl: '60'
-            }),
-            // Parse the page number
-            pageParam = req.params.page !== undefined ? parseInt(req.params.page, 10) : 1;
+            });

            // No negative pages
            if (isNaN(pageParam) || pageParam < 1) {
@ -104,7 +107,7 @@ frontendControllers = {
                ghost.doFilter('prePostsRender', page.posts, function (posts) {
                    posts.forEach(function (post) {
                        var item = {
-                        title:  post.title,
+                            title:  _.escape(post.title),
                            guid: post.uuid,
                            url: siteUrl + '/' + post.slug + '/',
                            date: post.published_at
@ -120,6 +123,7 @@ frontendControllers = {
                    res.send(feed.xml());
                });
            });
+        });
    }
 };

--- a/core/test/functional/frontend/02_rss_test.js
+++ b/core/test/functional/frontend/02_rss_test.js
@ -0,0 +1,16 @@
+/**
+ * Tests if RSS exists and is working
+ */
+casper.test.begin('Ensure that RSS is available', 3, function suite(test) {
+    test.filename = 'rss_test.png';
+
+    casper.start(url + 'rss/', function (response) {
+        test.assertEqual(response.status, 200, 'Response status should be 200.');
+        test.assert(this.getPageContent().indexOf('<rss') >= 0, 'Feed should contain <rss');
+        test.assert(this.getPageContent().indexOf('</rss>') >= 0, 'Feed should contain </rss>');
+    });
+    
+    casper.run(function () {
+        test.done();
+    });
+});