From 0890b52b4c9d41bb5c45a138c6f1d25ca618b7e8 Mon Sep 17 00:00:00 2001
From: Marcus Rohrmoser <github@mro.name>
Date: Fri, 24 Apr 2015 17:14:17 +0200
Subject: [PATCH] properly escape atom xml. Refs
 https://github.com/sebsauvage/rss-bridge/issues/123

---
 formats/AtomFormat.php | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/formats/AtomFormat.php b/formats/AtomFormat.php
index 84787e35..f3797e29 100644
--- a/formats/AtomFormat.php
+++ b/formats/AtomFormat.php
@@ -1,4 +1,9 @@
 <?php
+
+function xml_encode($text) {
+	return htmlspecialchars($text, ENT_XML1);
+}
+
 /**
 * Atom
 * Documentation Source http://en.wikipedia.org/wiki/Atom_%28standard%29 and http://tools.ietf.org/html/rfc4287
@@ -13,20 +18,21 @@ class AtomFormat extends FormatAbstract{
         $httpHost = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : '';
         $httpInfo = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : '';
 
-        $serverRequestUri = htmlspecialchars($_SERVER['REQUEST_URI']);
+        $serverRequestUri = xml_encode($_SERVER['REQUEST_URI']);
 
         $extraInfos = $this->getExtraInfos();
-        $title = htmlspecialchars($extraInfos['name']);
-        $uri = htmlspecialchars($extraInfos['uri']);
-        $icon = 'http://g.etfv.co/'. $uri .'?icon.jpg';
+        $title = xml_encode($extraInfos['name']);
+        $uri = $extraInfos['uri'];
+        $icon = xml_encode('http://g.etfv.co/'. $uri .'?icon.jpg');
+        $uri = xml_encode($uri);
 
         $entries = '';
         foreach($this->getDatas() as $data){
-            $entryName = strip_tags(is_null($data->name) ? $title : $data->name);
-            $entryAuthor = strip_tags(is_null($data->author) ? $uri : $data->author);
-            $entryTitle = strip_tags(is_null($data->title) ? '' : $data->title);
-            $entryUri = htmlspecialchars(is_null($data->uri) ? '' : $data->uri);
-            $entryTimestamp = is_null($data->timestamp) ? '' : date(DATE_ATOM, $data->timestamp);
+            $entryName = is_null($data->name) ? $title : xml_encode($data->name);
+            $entryAuthor = is_null($data->author) ? $uri : xml_encode($data->author);
+            $entryTitle = is_null($data->title) ? '' : xml_encode($data->title);
+            $entryUri = is_null($data->uri) ? '' : xml_encode($data->uri);
+            $entryTimestamp = is_null($data->timestamp) ? '' : xml_encode(date(DATE_ATOM, $data->timestamp));
             // We prevent content from closing the CDATA too early.
             $entryContent = is_null($data->content) ? '' : '<![CDATA[' . $this->sanitizeHtml(str_replace(']]>','',$data->content)) . ']]>';
 
@@ -87,7 +93,7 @@ EOD;
 
     public function display(){
         $this
-            ->setContentType('application/atom+xml; charset=utf8')  // We force UTF-8 in ATOM output.
+            ->setContentType('application/atom+xml; charset=UTF-8')  // We force UTF-8 in ATOM output.
             ->callContentType();
 
         return parent::display();