CVE-2023-34408: fix XSS in RSS syntax by splitbrain · Pull Request #3967 · dokuwiki/dokuwiki

The title was not correctly escaped when written to the doc in xhtml renderer.

SimplePie does no content escaping on its own (a comment in the code seems to suggest that that was assumed). Instead the content is passed on as-is from the feed.

This patch also applies some more escaping on the description output (though it should have been relatively safe thanks to the use of striptags).

This was discovered by @Ry0taK and reported in
https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0/