Forum .LRN Q&A: news-aggregator portlet error

Collapse
1: news-aggregator portlet error
Posted by Eduardo Palacio on 03/15/04 03:05 PM
Hi all:

in the news-aggregator-potlet the news don´t show right, because the variable @items.content@ show all html the tags.

This happens in versions 2.0.0rc1, 2.0.1 and 2.0.2

you need change this variable  @items.content@ in news-aggregator-portlet.adp for this @items.content;noquote@
an all works well.

I try this url for test http://www.libertaddigital.com/rss/portada.xml

bye.

Collapse
2: Re: news-aggregator portlet error (response to 1)
Posted by Nima Mazloumi on 03/15/04 03:25 PM
Hi Eduardo,
there were several posts on that. I will write a bug report and submit a patch today and if it is approved it will be fixed on cvs.

Greetings,
Nima

Collapse
3: Re: news-aggregator portlet error (response to 1)
Posted by Felipe Gelbcke Gubert on 03/15/04 07:28 PM
Same with weblog... (if you post a link)

@entries-content@

@entries-content;noquote@

solves the problem

Collapse
4: Re: news-aggregator portlet error (response to 3)
Posted by Jeff Davis on 03/15/04 07:51 PM
You need to be careful making things like that noquote since if someone were to put something like the following: in 
<img src="http://yoursite.com/admin/grant-admin?user_id=eviluser">
in an aggregated feed you read on yoursite.com. When you went to read it, it would get the url which would grant sitewide admin to thier user_id on your site.

In general, anything that comes from the outside needs to be checked for XSS and allowed tags before it is displayed.