[MrssFormat] Use XML encoding on data

formats/MrssFormat.php

@@ -13,20 +13,20 @@ class MrssFormat extends FormatAbstract{
         $httpHost = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : '';
         $httpInfo = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : '';
 
-        $serverRequestUri = htmlspecialchars($_SERVER['REQUEST_URI']);
+        $serverRequestUri = $this->xml_encode($_SERVER['REQUEST_URI']);
 
         $extraInfos = $this->getExtraInfos();
-        $title = htmlspecialchars($extraInfos['name']);
-        $uri = !empty($extraInfos['uri']) ? $extraInfos['uri'] : 'https://github.com/sebsauvage/rss-bridge';
+        $title = $this->xml_encode($extraInfos['name']);
+        $uri = $this->xml_encode(!empty($extraInfos['uri']) ? $extraInfos['uri'] : 'https://github.com/sebsauvage/rss-bridge');
 
         $items = '';
         foreach($this->getDatas() as $data){
-            $itemTitle = strip_tags(is_null($data->title) ? '' : $data->title);
-            $itemUri = is_null($data->uri) ? '' : $data->uri;
-            $itemAuthor = is_null($data->author) ? '' : $data->author;
-            $itemTimestamp = is_null($data->timestamp) ? '' : date(DATE_RFC2822, $data->timestamp);
+            $itemTitle = strip_tags(is_null($data->title) ? '' : $this->xml_encode($data->title));
+            $itemUri = is_null($data->uri) ? '' : $this->xml_encode($data->uri);
+            $itemAuthor = is_null($data->author) ? $title : $this->xml_encode($data->author);
+            $itemTimestamp = is_null($data->timestamp) ? '' : $this->xml_encode(date(DATE_RFC2822, $data->timestamp));
             // We prevent content from closing the CDATA too early.
-            $itemContent = is_null($data->content) ? '' : htmlspecialchars($this->sanitizeHtml(str_replace(']]>','',$data->content)));
+            $itemContent = is_null($data->content) ? '' : $this->xml_encode($this->sanitizeHtml($data->content));
 
             $items .= <<<EOD
 
@@ -82,4 +82,8 @@ EOD;
 
         return parent::display();
     }
+
+    private function xml_encode($text) {
+        return htmlspecialchars($text, ENT_XML1);
+    }
 }