use HTML escaping in RSS template, fixes #21

2024-11-23 12:08:00 +01:00 · 2020-01-10 12:43:56 -05:00 · 2020-01-10 12:43:56 -05:00 · 4ac63f9f4e
commit 4ac63f9f4e
parent d2ad52da93
2 changed files with 4 additions and 2 deletions
--- a/lib/philomena_web/controllers/api/rss/watched_controller.ex
+++ b/lib/philomena_web/controllers/api/rss/watched_controller.ex
@ -6,6 +6,8 @@ defmodule PhilomenaWeb.Api.Rss.WatchedController do
  def index(conn, _params) do
    {:ok, {images, _tags}} = ImageLoader.search_string(conn, "my:watched")

-    render(conn, "index.rss", images: images)
+    # NB: this is RSS, but using the RSS format causes Phoenix not to
+    # escape HTML
+    render(conn, "index.html", layout: false, images: images)
  end
 end
--- a/lib/philomena_web/templates/api/rss/watched/index.html.eex
+++ b/lib/philomena_web/templates/api/rss/watched/index.html.eex
@ -8,7 +8,7 @@

    <%= for image <- @images do %>
        <item>
-          <title><%= "##{image.id} - #{image.tag_list_cache}" %></title>
+          <title>#<%= image.id %> - <%= image.tag_list_cache %></title>
          <description>
            <![CDATA[
              <% mouseovertext = "Size: #{image.image_width}x#{image.image_height} | Tagged: #{image.tag_list_cache}" %>