$NetBSD: patch-share_html_Search_Elements_ResultsRSSView,v 1.1 2015/03/01 22:45:26 spz Exp $

fixes for CVE-2015-1165 and CVE-2015-1464 taken from the patch for RT 4.0.0

--- share/html/Search/Elements/ResultsRSSView.orig	2013-05-22 19:03:04.000000000 +0000
+++ share/html/Search/Elements/ResultsRSSView
@@ -48,7 +48,7 @@
 <%INIT>
 use Encode ();
 
-my $old_current_user;
+my $current_user = $session{CurrentUser};
 
 if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
     my $path = $m->dhandler_arg;
@@ -78,13 +78,11 @@ if ( $m->request_comp->path =~ RT->Confi
       unless $user->ValidateAuthString( $auth,
               $ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} );
 
-    $old_current_user = $session{'CurrentUser'};
-    my $cu               = RT::CurrentUser->new;
-    $cu->Load($user);
-    $session{'CurrentUser'} = $cu;
+    $current_user = RT::CurrentUser->new;
+    $current_user->Load($user);
 }
 
-my $Tickets = RT::Tickets->new($session{'CurrentUser'});
+my $Tickets = RT::Tickets->new($current_user);
 $Tickets->FromSQL($ARGS{'Query'});
 if ($OrderBy =~ /\|/) {
     # Multiple Sorts
@@ -121,10 +119,17 @@ $r->content_type('application/rss+xml');
     while ( my $Ticket = $Tickets->Next()) {
         my $creator_str = $m->scomp('/Elements/ShowUser', User => $Ticket->CreatorObj);
         $creator_str =~ s/[\r\n]//g;
+
+        # Get the plain-text content; it is interpreted as HTML by RSS
+        # readers, so it must be escaped (and is escaped _again_ when
+        # inserted into the XML).
+        my $content = $Ticket->Transactions->First->Content;
+        $content = $m->interp->apply_escapes( $content, 'h');
+
         $rss->add_item(
           title       =>  $Ticket->Subject || loc('No Subject'),
           link        => RT->Config->Get('WebURL')."Ticket/Display.html?id=".$Ticket->id,
-          description => $Ticket->Transactions->First->Content,
+          description => $content,
           dc          => { creator => $creator_str,
                            date => $Ticket->CreatedObj->RFC2822,
                          },
@@ -133,7 +138,6 @@ $r->content_type('application/rss+xml');
     }
 
 $m->out($rss->as_string);
-$session{'CurrentUser'} = $old_current_user if $old_current_user;
 $m->abort();
 </%INIT>
 <%ARGS>
