XML External Entity (XXE) Vulnerability in Latest Release

[HatBoy]

Hi, I would like to report XML External Entity (XXE) vulnerability in latest release. Description: XML External Entity (XXE) vulnerability in quokka/utils/atom.py 157 line and auokka/core/content/views.py 94 line, Because there is no filter authors, title. Steps To Reproduce: 1.Create a article, title and authors can insert XML payload. 2.Open the url: http://192.168.100.8:8000/author/{author}/index.rss http://192.168.100.8:8000/author/{author}/index.atom can see the title and authors has inserted into the XML.

author by [email protected]

[marcosptf]

was removed WIP from pr and fixed this issue: hotfix ready to merge: please make your comments and reviews: https://github.com/rochacbruno/quokka/pull/679