SS-2015-022: XML escape RSSFeed $link parameter
- Severity:
- Low (?)
- Identifier:
- SS-2015-022
- Versions Affected:
- 3.1.15 and below, 3.2.0
- Versions Fixed:
- 3.1.16, 3.2.1
- Release Date:
- 2015-11-16
When RSSLink is created it is given a URL which is rendered via $Link in a template, which is not escaped properly.
This was resolved by ensuring that $Link is cast to Varchar, which is XML encoded by default in any template.
