escape strings in feeds

2025-10-25 23:55:56 +01:00
parent cc5528f170
commit 78c3780651
3 changed files with 13 additions and 1 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -566,6 +566,7 @@ dependencies = [
 "poem-openapi",
 "rusqlite",
 "tokio",
+ "xml",
 ]

 [[package]]
@@ -1351,3 +1352,9 @@ name = "wit-bindgen"
 version = "0.45.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5c573471f125075647d03df72e026074b7203790d41351cd6edc96f46bcccd36"
+
+[[package]]
+name = "xml"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "58a4274c410d957424a1502b21126915b45d9956b2f80a88d4f6f906af29facc"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,3 +8,4 @@ poem = "3.1.12"
 poem-openapi = { version = "5.1.16", features = ["swagger-ui"] }
 rusqlite = "0.37.0"
 tokio = { version = "1.47.1", features = ["macros", "rt-multi-thread"] }
+xml = "1.0.1"
--- a/src/main.rs
+++ b/src/main.rs
@@ -151,7 +151,11 @@ impl Api {
        {
            Ok(Ok(bookmarks)) => {
                for b in bookmarks {
-                    resp.push_str(&format!("<item>\n<title>{}</title>\n<link>{}</link>\n<description>{}</description>\n</item>", b.title, b.url, b.description));
+                    resp.push_str(&format!(
+                            "<item>\n<title>{}</title>\n<link>{}</link>\n<description>{}</description>\n</item>",
+                            xml::escape::escape_str_attribute(&b.title),
+                            xml::escape::escape_str_attribute(&b.url),
+                            xml::escape::escape_str_attribute(&b.description)));
                }
            }
            Ok(Err(e)) => {