A quick update on this one. It turns out that the problem could be much larger than just the external feed block: we need to also run the contents of URI attributes through HTML purifier because template auto-escaping doesn't help here.
So what we're going to do is look through the whole codebase looking for "href", "src" and "action" attributes:
- in the Dwoo templates
- in the code where we create HTML by hand
- in the "action" attribute of forms (Pieforms mostly)
Ideally, we should produce these attribute-containing HTML tags in PHP land so that we can push them to the template and pipe them through |clean_html.
A quick update on this one. It turns out that the problem could be much larger than just the external feed block: we need to also run the contents of URI attributes through HTML purifier because template auto-escaping doesn't help here.
So what we're going to do is look through the whole codebase looking for "href", "src" and "action" attributes:
- in the Dwoo templates
- in the code where we create HTML by hand
- in the "action" attribute of forms (Pieforms mostly)
Ideally, we should produce these attribute- containing HTML tags in PHP land so that we can push them to the template and pipe them through |clean_html.