Escape feed contents

feeds/atom.go

@@ -2,6 +2,7 @@ package feeds
 
 import (
 	"fmt"
+	"html"
 	"strings"
 	"time"
 
@@ -20,15 +21,16 @@ func ToAtom(feedInfo FeedInfo, bookmarks []*bookmarks.Bookmark) string {
 
 	// Feed
 	output = append(output, `<feed xmlns="http://www.w3.org/2005/Atom">`)
-	output = append(output, fmt.Sprintf("\t<title>%s</title>", feedInfo.SiteName))
+	output = append(output, fmt.Sprintf("\t<title>%s</title>", html.EscapeString(feedInfo.SiteName)))
+	output = append(output, fmt.Sprintf("\t<subtitle>%s</subtitle>", html.EscapeString(feedInfo.Description)))
 	output = append(output, fmt.Sprintf(`%s<link href="%s" />`, "\t", feedInfo.BaseURL))
 	output = append(output, fmt.Sprintf(`%s<link href="%s" rel="self" />`, "\t", feedInfo.CurrentURL))
 	output = append(output, fmt.Sprintf("\t<updated>%s</updated>", pubDate.Format(time.RFC3339)))
 
 	output = append(output, "\t<author>")
-	output = append(output, fmt.Sprintf("\t\t<name>%s</name>", feedInfo.AuthorName))
+	output = append(output, fmt.Sprintf("\t\t<name>%s</name>", html.EscapeString(feedInfo.AuthorName)))
 	if feedInfo.AuthorEmail != "" {
-		output = append(output, fmt.Sprintf("\t\t<email>%s</email>", feedInfo.AuthorEmail))
+		output = append(output, fmt.Sprintf("\t\t<email>%s</email>", html.EscapeString(feedInfo.AuthorEmail)))
 	}
 	output = append(output, "\t</author>")
 	output = append(output, fmt.Sprintf("\t<id>%s</id>", feedInfo.BaseURL))
@@ -38,9 +40,9 @@ func ToAtom(feedInfo FeedInfo, bookmarks []*bookmarks.Bookmark) string {
 	for _, bm := range bookmarks {
 		output = append(output, "\t<entry>")
 		output = append(output, fmt.Sprintf("\t\t<id>%s:%s</id>", feedInfo.BaseURL, bm.URL))
-		output = append(output, fmt.Sprintf("\t\t<title>%s</title>", bm.Title))
+		output = append(output, fmt.Sprintf("\t\t<title>%s</title>", html.EscapeString(bm.Title)))
 		output = append(output, fmt.Sprintf("\t\t<updated>%s</updated>", bm.Created.Format(time.RFC3339)))
-		output = append(output, fmt.Sprintf("\t\t<content>%s</content>", bm.Description))
+		output = append(output, fmt.Sprintf("\t\t<content>%s</content>", html.EscapeString(bm.Description)))
 		output = append(output, "\t</entry>")
 	}
 

feeds/rss.go

@@ -2,6 +2,7 @@ package feeds
 
 import (
 	"fmt"
+	"html"
 	"strings"
 	"time"
 
@@ -20,9 +21,9 @@ func ToRSS(feedInfo FeedInfo, bookmarks []*bookmarks.Bookmark) string {
 	output = append(output, "<channel>")
 
 	// Channel
-	output = append(output, fmt.Sprintf("\t<title>%s</title>", feedInfo.SiteName))
+	output = append(output, fmt.Sprintf("\t<title>%s</title>", html.EscapeString(feedInfo.SiteName)))
 	output = append(output, fmt.Sprintf("\t<link>%s</link>", feedInfo.BaseURL))
-	output = append(output, fmt.Sprintf("\t<description>%s</description>", feedInfo.Description))
+	output = append(output, fmt.Sprintf("\t<description>%s</description>", html.EscapeString(feedInfo.Description)))
 	output = append(output, fmt.Sprintf("\t<pubDate>%s</pubDate>", pubDate.Format(time.RFC1123Z)))
 	output = append(output, fmt.Sprintf("\t<lastBuildDate>%s</lastBuildDate>", pubDate.Format(time.RFC1123Z)))
 	output = append(output, "\t<generator>Bookmark Manager (https://github.com/saaste/bookmark-manager)</generator>")
@@ -32,11 +33,11 @@ func ToRSS(feedInfo FeedInfo, bookmarks []*bookmarks.Bookmark) string {
 	for _, bm := range bookmarks {
 		output = append(output, "\t<item>")
 
-		output = append(output, fmt.Sprintf("\t\t<title>%s</title>", bm.Title))
+		output = append(output, fmt.Sprintf("\t\t<title>%s</title>", html.EscapeString(bm.Title)))
 		output = append(output, fmt.Sprintf("\t\t<link>%s</link>", bm.URL))
 
 		if bm.Description != "" {
-			output = append(output, fmt.Sprintf("\t\t<description>%s</description>", bm.Title))
+			output = append(output, fmt.Sprintf("\t\t<description>%s</description>", html.EscapeString(bm.Title)))
 		}
 
 		output = append(output, fmt.Sprintf("\t\t<pubDate>%s</pubDate>", bm.Created.Format(time.RFC1123Z)))