site: fix escaping in RSS feed (#5214)

4 years ago · 1f87f5fb20
parent 02e10b1159
commit 1f87f5fb20
1 changed files with 14 additions and 2 deletions
--- a/site/src/routes/blog/rss.xml.js
+++ b/site/src/routes/blog/rss.xml.js
@ -8,6 +8,18 @@ function formatPubdate(str) {
 	return `${d} ${months[+m]} ${y} 12:00 +0000`;
 }

+function escapeHTML(html) {
+	const chars = {
+		'"' : 'quot',
+		"'": '#39',
+		'&': 'amp',
+		'<' : 'lt',
+		'>' : 'gt'
+	};
+
+	return html.replace(/["'&<>]/g, c => `&${chars[c]};`);
+}
+
 const rss = `
 <?xml version="1.0" encoding="UTF-8" ?>
 <rss version="2.0">
@ -23,9 +35,9 @@ const rss = `
 	</image>
 	${get_posts().filter(post => !post.metadata.draft).map(post => `
 		<item>
-			<title>${post.metadata.title}</title>
+			<title>${escapeHTML(post.metadata.title)}</title>
 			<link>https://svelte.dev/blog/${post.slug}</link>
-			<description>${post.metadata.description}</description>
+			<description>${escapeHTML(post.metadata.description)}</description>
 			<pubDate>${formatPubdate(post.metadata.pubdate)}</pubDate>
 		</item>
 	`).join('')}