feed icon indicating copy to clipboard operation
feed copied to clipboard

Published 20 hours ago • verified publisher icon jpmonette

Fix double escaping of & in Atom feed "self" URL

Open cwalther opened this issue 3 years ago • 2 comments

In the <link rel="self"> URL of an Atom 1 feed, a & in the URL is mistakenly escaped twice, appearing as &amp;amp;.

Steps to reproduce:

node -e 'const Feed = require("feed").Feed; console.log((new Feed({feed: "a&b"})).atom1());'

Expected result:

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
    <id/>
    <title/>
    <updated>2021-03-05T21:19:20.314Z</updated>
    <generator>https://github.com/jpmonette/feed</generator>
    <link rel="self" href="a&amp;b"/>
</feed>

Actual result:

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
    <id/>
    <title/>
    <updated>2021-03-05T21:16:48.247Z</updated>
    <generator>https://github.com/jpmonette/feed</generator>
    <link rel="self" href="a&amp;amp;b"/>
</feed>

The cause is that 50ed093a0b3dd6696b9bc5d206c9613c9f8b1f10 was overzealous, feeding atomLink through sanitize() twice.

The attached commits add a currently failing test as well as fix. Also, a few tests for the same thing in other URL-typed fields, but these were already handled correctly.

cwalther avatar Mar 05 '21 21:03 cwalther

Coverage Status

Coverage remained the same at 99.571% when pulling 1bc36d0cd4779f5a8fb635eb47cef72f58132688 on cwalther:doubleamp into fd77835d23990670975092c15009c75432e258ac on jpmonette:master.

coveralls avatar Mar 05 '21 21:03 coveralls

(To be honest, I’m a bit surprised this sanitize() is needed at all. Shouldn’t it be the job of the XML serialization library to correctly encode attributes?)

cwalther avatar Mar 05 '21 21:03 cwalther