We are performing our own escaping of strings before passing them into the library, because the docs mention that no escaping is performed. However it turns out that there is some (limited?) sanitization performed, which results in double escaping. Specifically I noticed the following in 2.0.9:
`
In Item.title, & < > \" ' becomes & < > " ' (with 'not being recommended)
In Item.description, the same test string becomes & < > " ’, even though it is inside CDATA section so no escaping should be necessary
I havent tested other fields or structs
To fix this bug, please remove all escaping so that behaviour matches the documentation. Alternatively change the documenation, and guarantee to perform correct escaping on all fields (not sure if this is currently the case).
andy128k
commented
11 hours ago
We are performing our own escaping of strings before passing them into the library, because the docs mention that no escaping is performed. However it turns out that there is some (limited?) sanitization performed, which results in double escaping. Specifically I noticed the following in 2.0.9:
`
Item.title,& < > \" 'becomes& < > " '(with'not being recommended)Item.description, the same test string becomes& < > " ’, even though it is inside CDATA section so no escaping should be necessaryTo fix this bug, please remove all escaping so that behaviour matches the documentation. Alternatively change the documenation, and guarantee to perform correct escaping on all fields (not sure if this is currently the case).