From 78f0d6bbd21ed84733e960201c4652e69c565450 Mon Sep 17 00:00:00 2001
From: Zach Copley <zach@status.net>
Date: Fri, 12 Mar 2010 01:12:30 +0000
Subject: [PATCH] Scrub all atom output with common_xml_safe_str()

---
 classes/Notice.php     |  8 ++++++--
 classes/User_group.php |  8 ++++++--
 lib/activity.php       | 23 +++++++++++++++++------
 lib/apiaction.php      | 12 ++++++++----
 4 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/classes/Notice.php b/classes/Notice.php
index 40a6263e52..a704053a01 100644
--- a/classes/Notice.php
+++ b/classes/Notice.php
@@ -1151,7 +1151,7 @@ class Notice extends Memcached_DataObject
             $xs->elementEnd('source');
         }
 
-        $xs->element('title', null, $this->content);
+        $xs->element('title', null, common_xml_safe_str($this->content));
 
         if ($author) {
             $xs->raw($profile->asAtomAuthor());
@@ -1227,7 +1227,11 @@ class Notice extends Memcached_DataObject
             }
         }
 
-        $xs->element('content', array('type' => 'html'), $this->rendered);
+        $xs->element(
+            'content',
+            array('type' => 'html'),
+            common_xml_safe_str($this->rendered)
+        );
 
         $tag = new Notice_tag();
         $tag->notice_id = $this->id;
diff --git a/classes/User_group.php b/classes/User_group.php
index f295945025..63a407b4c1 100644
--- a/classes/User_group.php
+++ b/classes/User_group.php
@@ -379,7 +379,7 @@ class User_group extends Memcached_DataObject
         }
 
         $xs->element('title', null, $this->nickname);
-        $xs->element('summary', null, $this->description);
+        $xs->element('summary', null, common_xml_safe_str($this->description));
 
         $xs->element('link', array('rel' => 'alternate',
                                    'href' => $this->permalink()));
@@ -389,7 +389,11 @@ class User_group extends Memcached_DataObject
         $xs->element('published', null, common_date_w3dtf($this->created));
         $xs->element('updated', null, common_date_w3dtf($this->modified));
 
-        $xs->element('content', array('type' => 'html'), $this->description);
+        $xs->element(
+            'content',
+            array('type' => 'html'),
+            common_xml_safe_str($this->description)
+        );
 
         $xs->elementEnd('entry');
 
diff --git a/lib/activity.php b/lib/activity.php
index 2cb80f9e1a..125d391b04 100644
--- a/lib/activity.php
+++ b/lib/activity.php
@@ -78,7 +78,7 @@ class PoCoAddress
         if (!empty($this->formatted)) {
             $xs = new XMLStringer(true);
             $xs->elementStart('poco:address');
-            $xs->element('poco:formatted', null, $this->formatted);
+            $xs->element('poco:formatted', null, common_xml_safe_str($this->formatted));
             $xs->elementEnd('poco:address');
             return $xs->getString();
         }
@@ -279,7 +279,7 @@ class PoCo
         );
 
         if (!empty($this->note)) {
-            $xs->element('poco:note', null, $this->note);
+            $xs->element('poco:note', null, common_xml_safe_str($this->note));
         }
 
         if (!empty($this->address)) {
@@ -805,7 +805,6 @@ class ActivityObject
         return $object;
     }
 
-
     function asString($tag='activity:object')
     {
         $xs = new XMLStringer(true);
@@ -817,16 +816,28 @@ class ActivityObject
         $xs->element(self::ID, null, $this->id);
 
         if (!empty($this->title)) {
-            $xs->element(self::TITLE, null, $this->title);
+            $xs->element(
+                self::TITLE,
+                null,
+                common_xml_safe_str($this->title)
+            );
         }
 
         if (!empty($this->summary)) {
-            $xs->element(self::SUMMARY, null, $this->summary);
+            $xs->element(
+                self::SUMMARY,
+                null,
+                common_xml_safe_str($this->summary)
+            );
         }
 
         if (!empty($this->content)) {
             // XXX: assuming HTML content here
-            $xs->element(ActivityUtils::CONTENT, array('type' => 'html'), $this->content);
+            $xs->element(
+                ActivityUtils::CONTENT,
+                array('type' => 'html'),
+                common_xml_safe_str($this->content)
+            );
         }
 
         if (!empty($this->link)) {
diff --git a/lib/apiaction.php b/lib/apiaction.php
index 73777f4e88..cef5d1c1e8 100644
--- a/lib/apiaction.php
+++ b/lib/apiaction.php
@@ -743,8 +743,12 @@ class ApiAction extends Action
     function showTwitterAtomEntry($entry)
     {
         $this->elementStart('entry');
-        $this->element('title', null, $entry['title']);
-        $this->element('content', array('type' => 'html'), $entry['content']);
+        $this->element('title', null, common_xml_safe_str($entry['title']));
+        $this->element(
+            'content',
+            array('type' => 'html'),
+            common_xml_safe_str($entry['content'])
+        );
         $this->element('id', null, $entry['id']);
         $this->element('published', null, $entry['published']);
         $this->element('updated', null, $entry['updated']);
@@ -859,7 +863,7 @@ class ApiAction extends Action
 
         $this->initDocument('atom');
 
-        $this->element('title', null, $title);
+        $this->element('title', null, common_xml_safe_str($title));
         $this->element('id', null, $id);
         $this->element('link', array('href' => $link, 'rel' => 'alternate', 'type' => 'text/html'), null);
 
@@ -869,7 +873,7 @@ class ApiAction extends Action
         }
 
         $this->element('updated', null, common_date_iso8601('now'));
-        $this->element('subtitle', null, $subtitle);
+        $this->element('subtitle', null, common_xml_safe_str($subtitle));
 
         if (is_array($group)) {
             foreach ($group as $g) {