SS-2015-022: XML escape RSSFeed $link parameter
- Low (?)
- Versions Affected:
- 3.1.15 and below, 3.2.0
- Versions Fixed:
- 3.1.16, 3.2.1
- Release Date:
When RSSLink is created it is given a URL which is rendered via $Link in a template, which is not escaped properly.
This was resolved by ensuring that $Link is cast to Varchar, which is XML encoded by default in any template.