X-Git-Url: http://git.freeside.biz/gitweb/?a=blobdiff_plain;f=rt%2Fshare%2Fhtml%2FSearch%2FElements%2FResultsRSSView;h=0bce7ec45c627c99e243cd008e63f587a2e190e7;hb=31f3763747b82764bb019cfab5b2a2945fc9a99d;hp=a453a8603d78cfc0baa6751150bac381d6d2a29d;hpb=5b3efac57771fbc37874a3dd39d3df835cdd6133;p=freeside.git

diff --git a/rt/share/html/Search/Elements/ResultsRSSView b/rt/share/html/Search/Elements/ResultsRSSView
index a453a8603..0bce7ec45 100644
--- a/rt/share/html/Search/Elements/ResultsRSSView
+++ b/rt/share/html/Search/Elements/ResultsRSSView
@@ -2,7 +2,7 @@
 %#
 %# COPYRIGHT:
 %#
-%# This software is Copyright (c) 1996-2014 Best Practical Solutions, LLC
+%# This software is Copyright (c) 1996-2015 Best Practical Solutions, LLC
 %#                                          <sales@bestpractical.com>
 %#
 %# (Except where explicitly superseded by other copyright notices)
@@ -46,7 +46,7 @@
 %#
 %# END BPS TAGGED BLOCK }}}
 <%INIT>
-my $old_current_user;
+my $current_user = $session{CurrentUser};
 
 if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
     my $path = $m->dhandler_arg;
@@ -76,13 +76,11 @@ if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
       unless $user->ValidateAuthString( $auth,
               $ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} );
 
-    $old_current_user = $session{'CurrentUser'};
-    my $cu               = RT::CurrentUser->new;
-    $cu->Load($user);
-    $session{'CurrentUser'} = $cu;
+    $current_user = RT::CurrentUser->new;
+    $current_user->Load($user);
 }
 
-my $Tickets = RT::Tickets->new($session{'CurrentUser'});
+my $Tickets = RT::Tickets->new($current_user);
 $Tickets->FromSQL($ARGS{'Query'});
 if ($OrderBy =~ /\|/) {
     # Multiple Sorts
@@ -119,10 +117,17 @@ $r->content_type('application/rss+xml');
     while ( my $Ticket = $Tickets->Next()) {
         my $creator_str = $m->scomp('/Elements/ShowUser', User => $Ticket->CreatorObj);
         $creator_str =~ s/[\r\n]//g;
+
+        # Get the plain-text content; it is interpreted as HTML by RSS
+        # readers, so it must be escaped (and is escaped _again_ when
+        # inserted into the XML).
+        my $content = $Ticket->Transactions->First->Content;
+        $content = $m->interp->apply_escapes( $content, 'h');
+
         $rss->add_item(
           title       =>  $Ticket->Subject || loc('No Subject'),
           link        => RT->Config->Get('WebURL')."Ticket/Display.html?id=".$Ticket->id,
-          description => $Ticket->Transactions->First->Content,
+          description => $content,
           dc          => { creator => $creator_str,
                            date => $Ticket->CreatedObj->RFC2822,
                          },
@@ -131,7 +136,6 @@ $r->content_type('application/rss+xml');
     }
 
 $m->out($rss->as_string);
-$session{'CurrentUser'} = $old_current_user if $old_current_user;
 $m->abort();
 </%INIT>
 <%ARGS>