Fix XSS in /feed (#4218)

ildyria · web-flow · commit d2e2606a0223 · 2026-03-23T18:50:16.000+01:00
diff --git a/app/Actions/RSS/Generate.php b/app/Actions/RSS/Generate.php
@@ -20,6 +20,7 @@
 use App\Services\UrlGenerator;
 use Carbon\Exceptions\InvalidFormatException;
 use Carbon\Exceptions\UnitException;
+use GrahamCampbell\Markdown\Facades\Markdown;
 use Illuminate\Contracts\Container\BindingResolutionException;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Collection;
@@ -54,7 +55,7 @@ private function toFeedItem(object $data): FeedItem
 		$feed_item = [
 			'id' => $page_link,
 			'title' => $data->title,
-			'summary' => $data->description ?? '',
+			'summary' => Markdown::convert($data->description ?? '')->getContent(),
 			'updated' => $this->asDateTime($data->updated_at),
 			'link' => $page_link,
 			'enclosure' => $this->url_generator->pathToUrl($data->short_path, $data->storage_disk, SizeVariantType::ORIGINAL),
diff --git a/database/migrations/2026_03_23_162424_bump_version070503.php b/database/migrations/2026_03_23_162424_bump_version070503.php
@@ -0,0 +1,52 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2026 LycheeOrg.
+ */
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\Artisan;
+use Illuminate\Support\Facades\DB;
+use Symfony\Component\Console\Output\ConsoleOutput;
+use Symfony\Component\Console\Output\ConsoleSectionOutput;
+
+return new class() extends Migration {
+	private ConsoleOutput $output;
+	private ConsoleSectionOutput $msg_section;
+
+	public function __construct()
+	{
+		$this->output = new ConsoleOutput();
+		$this->msg_section = $this->output->section();
+	}
+
+	/**
+	 * Run the migrations.
+	 *
+	 * @return void
+	 */
+	public function up(): void
+	{
+		DB::table('configs')->where('key', 'version')->update(['value' => '070503']);
+		try {
+			Artisan::call('cache:clear');
+		} catch (\Throwable $e) {
+			$this->msg_section->writeln('<error>Warning:</error> Failed to clear cache for version 7.5.3');
+
+			return;
+		}
+		$this->msg_section->writeln('<info>Info:</info> Cleared cache for version 7.5.3');
+	}
+
+	/**
+	 * Reverse the migrations.
+	 *
+	 * @return void
+	 */
+	public function down(): void
+	{
+		DB::table('configs')->where('key', 'version')->update(['value' => '070502']);
+	}
+};
diff --git a/resources/views/vendor/feed/json.blade.php b/resources/views/vendor/feed/json.blade.php
@@ -28,7 +28,7 @@
                 }
             ],
 @endif
-            "tags": [ {!! implode(',', array_map(fn($c) => '"'.$c.'"', $item->category)) !!} ]
+            "tags": @json($item->category)
         }@if($item !== $items->last()),
 @endif
         @endforeach
diff --git a/version.md b/version.md
@@ -1 +1 @@
-7.5.2
+7.5.3

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@`
`28`	`28`	`}`
`29`	`29`	`],`
`30`	`30`	`@endif`
`31`		`- "tags": [ {!! implode(',', array_map(fn($c) => '"'.$c.'"', $item->category)) !!} ]`
	`31`	`+ "tags": @json($item->category)`
`32`	`32`	`}@if($item !== $items->last()),`
`33`	`33`	`@endif`
`34`	`34`	`@endforeach`