Comment 1 for bug 798136

A quick update on this one. It turns out that the problem could be much larger than just the external feed block: we need to also run the contents of URI attributes through HTML purifier because template auto-escaping doesn't help here.

So what we're going to do is look through the whole codebase looking for "href", "src" and "action" attributes:

- in the Dwoo templates
- in the code where we create HTML by hand
- in the "action" attribute of forms (Pieforms mostly)

Ideally, we should produce these attribute-containing HTML tags in PHP land so that we can push them to the template and pipe them through |clean_html.