fix(rss/atom): sanitize enclosure URLs containing &

src/__tests__/__snapshots__/atom1.spec.ts.snap

@@ -83,3 +83,74 @@ exports[`atom 1.0 should generate a valid feed with stylesheet 1`] = `
     <rights>All rights reserved 2013, John Doe</rights>
 </feed>"
 `;
+
+exports[`atom 1.0 should sanitize enclosure url 1`] = `
+"<?xml version=\\"1.0\\" encoding=\\"utf-8\\"?>
+<feed xmlns=\\"http://www.w3.org/2005/Atom\\">
+    <id>http://example.com/?link=sanitized&amp;value=4</id>
+    <title>Feed Title</title>
+    <updated>2013-07-13T23:00:00.000Z</updated>
+    <generator>https://github.com/jpmonette/feed</generator>
+    <author>
+        <name>John Doe</name>
+        <email>johndoe@example.com</email>
+        <uri>https://example.com/johndoe?link=sanitized&amp;value=2</uri>
+    </author>
+    <link rel=\\"alternate\\" href=\\"http://example.com/?link=sanitized&amp;value=3\\"/>
+    <link rel=\\"self\\" href=\\"http://example.com/sampleFeed.rss?link=sanitized&amp;value=2\\"/>
+    <link rel=\\"hub\\" href=\\"wss://example.com/\\"/>
+    <subtitle>This is my personnal feed!</subtitle>
+    <logo>http://example.com/image.png?link=sanitized&amp;value=6</logo>
+    <icon>http://example.com/image.ico?link=sanitized&amp;value=7</icon>
+    <rights>All rights reserved 2013, John Doe</rights>
+    <category term=\\"Technology\\"/>
+    <contributor>
+        <name>Johan Cruyff</name>
+        <email>johancruyff@example.com</email>
+        <uri>https://example.com/johancruyff</uri>
+    </contributor>
+    <entry>
+        <title type=\\"html\\"><![CDATA[Hello World]]></title>
+        <id>https://example.com/hello-world?id=this&amp;that=true</id>
+        <link href=\\"https://example.com/hello-world?link=sanitized&amp;value=2\\"/>
+        <link rel=\\"enclosure\\" href=\\"https://example.com/hello-world.jpg\\" type=\\"image/jpg\\" length=\\"12665\\"/>
+        <link rel=\\"enclosure\\" href=\\"https://example.com/hello-world.jpg\\" type=\\"image/jpg\\"/>
+        <updated>2013-07-13T23:00:00.000Z</updated>
+        <summary type=\\"html\\"><![CDATA[This is an article about Hello World.]]></summary>
+        <content type=\\"html\\"><![CDATA[Content of my item]]></content>
+        <author>
+            <name>Jane Doe</name>
+            <email>janedoe@example.com</email>
+            <uri>https://example.com/janedoe?link=sanitized&amp;value=2</uri>
+        </author>
+        <author>
+            <name>Joe Smith</name>
+            <email>joesmith@example.com</email>
+            <uri>https://example.com/joesmith</uri>
+        </author>
+        <author>
+            <name>Joe Smith, Name Only</name>
+        </author>
+        <category label=\\"Grateful Dead\\"/>
+        <category label=\\"MSFT\\"/>
+        <contributor>
+            <name>Shawn Kemp</name>
+            <email>shawnkemp@example.com</email>
+            <uri>https://example.com/shawnkemp</uri>
+        </contributor>
+        <contributor>
+            <name>Reggie Miller</name>
+            <email>reggiemiller@example.com</email>
+            <uri>https://example.com/reggiemiller</uri>
+        </contributor>
+        <published>2013-07-10T23:00:00.000Z</published>
+    </entry>
+    <entry>
+        <title type=\\"html\\"><![CDATA[Hello World]]></title>
+        <id>http://example.org/sanitize</id>
+        <link href=\\"http://example.org/sanitize\\"/>
+        <link rel=\\"enclosure\\" href=\\"https://example.com/hello&amp;world.png\\" type=\\"image/png\\"/>
+        <updated>2013-07-13T23:00:00.000Z</updated>
+    </entry>
+</feed>"
+`;

src/__tests__/__snapshots__/rss2.spec.ts.snap

@@ -863,3 +863,145 @@ exports[`rss 2.0 should generate a valid podcast feed with audio 1`] = `
     </channel>
 </rss>"
 `;
+
+exports[`rss 2.0 should sanitize enclosure url 1`] = `
+"<?xml version=\\"1.0\\" encoding=\\"utf-8\\"?>
+<rss version=\\"2.0\\" xmlns:dc=\\"http://purl.org/dc/elements/1.1/\\" xmlns:content=\\"http://purl.org/rss/1.0/modules/content/\\" xmlns:atom=\\"http://www.w3.org/2005/Atom\\">
+    <channel>
+        <title>Feed Title</title>
+        <link>http://example.com/?link=sanitized&amp;value=3</link>
+        <description>This is my personnal feed!</description>
+        <lastBuildDate>Sat, 13 Jul 2013 23:00:00 GMT</lastBuildDate>
+        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
+        <generator>https://github.com/jpmonette/feed</generator>
+        <language>en</language>
+        <ttl>60</ttl>
+        <image>
+            <title>Feed Title</title>
+            <url>http://example.com/image.png?link=sanitized&amp;value=6</url>
+            <link>http://example.com/?link=sanitized&amp;value=3</link>
+        </image>
+        <copyright>All rights reserved 2013, John Doe</copyright>
+        <category>Technology</category>
+        <atom:link href=\\"http://example.com/sampleFeed.rss?link=sanitized&amp;value=2\\" rel=\\"self\\" type=\\"application/rss+xml\\"/>
+        <atom:link href=\\"wss://example.com/\\" rel=\\"hub\\"/>
+        <item>
+            <title><![CDATA[Hello World]]></title>
+            <link>https://example.com/hello-world?link=sanitized&amp;value=2</link>
+            <guid isPermaLink=\\"false\\">https://example.com/hello-world?id=this&amp;that=true</guid>
+            <pubDate>Wed, 10 Jul 2013 23:00:00 GMT</pubDate>
+            <description><![CDATA[This is an article about Hello World.]]></description>
+            <content:encoded><![CDATA[Content of my item]]></content:encoded>
+            <author>janedoe@example.com (Jane Doe)</author>
+            <author>joesmith@example.com (Joe Smith)</author>
+            <author>Joe Smith, Name Only</author>
+            <category>Grateful Dead</category>
+            <category domain=\\"http://www.fool.com/cusips\\">MSFT</category>
+            <enclosure url=\\"https://example.com/hello-world.jpg\\" length=\\"0\\" type=\\"image/jpg\\"/>
+            <_item_extension_1>
+                <about>just an item extension example</about>
+                <dummy1>example</dummy1>
+            </_item_extension_1>
+            <_item_extension_2>
+                <about>just a second item extension example</about>
+                <dummy1>example</dummy1>
+            </_item_extension_2>
+        </item>
+        <item>
+            <title><![CDATA[Hello World]]></title>
+            <link>https://example.com/hello-world2</link>
+            <guid isPermaLink=\\"false\\">419c523a-28f4-489c-877e-9604be64c001</guid>
+            <pubDate>Wed, 10 Jul 2013 23:00:00 GMT</pubDate>
+            <description><![CDATA[This is an article about Hello World.]]></description>
+            <content:encoded><![CDATA[Content of my item]]></content:encoded>
+            <author>janedoe@example.com (Jane Doe)</author>
+            <author>joesmith@example.com (Joe Smith)</author>
+            <category>Grateful Dead</category>
+            <category domain=\\"http://www.fool.com/cusips\\">MSFT</category>
+            <enclosure length=\\"12665\\" type=\\"image/jpg\\" url=\\"https://example.com/hello-world.jpg\\"/>
+            <_item_extension_1>
+                <about>just an item extension example</about>
+                <dummy1>example</dummy1>
+            </_item_extension_1>
+            <_item_extension_2>
+                <about>just a second item extension example</about>
+                <dummy1>example</dummy1>
+            </_item_extension_2>
+        </item>
+        <item>
+            <title><![CDATA[Hello World]]></title>
+            <link>https://example.com/hello-world2</link>
+            <guid isPermaLink=\\"false\\">419c523a-28f4-489c-877e-9604be64c001</guid>
+            <pubDate>Wed, 10 Jul 2013 23:00:00 GMT</pubDate>
+            <description><![CDATA[This is an article about Hello World.]]></description>
+            <content:encoded><![CDATA[Content of my item]]></content:encoded>
+            <author>janedoe@example.com (Jane Doe)</author>
+            <author>joesmith@example.com (Joe Smith)</author>
+            <category>Grateful Dead</category>
+            <category domain=\\"http://www.fool.com/cusips\\">MSFT</category>
+            <enclosure length=\\"12665\\" type=\\"image/jpg\\" url=\\"https://example.com/hello-world.jpg\\"/>
+            <_item_extension_1>
+                <about>just an item extension example</about>
+                <dummy1>example</dummy1>
+            </_item_extension_1>
+            <_item_extension_2>
+                <about>just a second item extension example</about>
+                <dummy1>example</dummy1>
+            </_item_extension_2>
+        </item>
+        <item>
+            <title><![CDATA[Hello World]]></title>
+            <link>https://example.com/hello-world3</link>
+            <guid isPermaLink=\\"true\\">https://example.com/hello-world3</guid>
+            <pubDate>Wed, 10 Jul 2013 23:00:00 GMT</pubDate>
+            <description><![CDATA[This is an article about Hello World.]]></description>
+            <content:encoded><![CDATA[Content of my item]]></content:encoded>
+            <author>janedoe@example.com (Jane Doe)</author>
+            <author>joesmith@example.com (Joe Smith)</author>
+            <category>Grateful Dead</category>
+            <category domain=\\"http://www.fool.com/cusips\\">MSFT</category>
+            <enclosure length=\\"12665\\" type=\\"audio/mpeg\\" url=\\"https://example.com/hello-world.mp3\\"/>
+            <_item_extension_1>
+                <about>just an item extension example</about>
+                <dummy1>example</dummy1>
+            </_item_extension_1>
+            <_item_extension_2>
+                <about>just a second item extension example</about>
+                <dummy1>example</dummy1>
+            </_item_extension_2>
+        </item>
+        <item>
+            <title><![CDATA[Hello World]]></title>
+            <link>http://example.org/guid</link>
+            <guid isPermaLink=\\"false\\">50e14f43-dd4e-412f-864d-78943ea28d91</guid>
+            <pubDate>Wed, 10 Jul 2013 23:00:00 GMT</pubDate>
+        </item>
+        <item>
+            <title><![CDATA[Hello World]]></title>
+            <link>http://example.org/id</link>
+            <guid isPermaLink=\\"false\\">67e32b59-3348-4dc3-9645-75c60b6f50cc</guid>
+            <pubDate>Wed, 10 Jul 2013 23:00:00 GMT</pubDate>
+        </item>
+        <item>
+            <title><![CDATA[Hello World]]></title>
+            <link>http://example.org/link</link>
+            <guid isPermaLink=\\"true\\">http://example.org/link</guid>
+            <pubDate>Wed, 10 Jul 2013 23:00:00 GMT</pubDate>
+        </item>
+        <item>
+            <title><![CDATA[Hello World]]></title>
+            <link>http://example.org/sanitize</link>
+            <guid isPermaLink=\\"true\\">http://example.org/sanitize</guid>
+            <pubDate>Wed, 10 Jul 2013 23:00:00 GMT</pubDate>
+            <enclosure length=\\"0\\" type=\\"image/png\\" url=\\"https://example.com/hello&amp;world.png\\"/>
+        </item>
+        <_example_extension>
+            <about>just an extension example</about>
+            <dummy>example</dummy>
+        </_example_extension>
+        <extension_name>
+            <about>just an extension example</about>
+        </extension_name>
+    </channel>
+</rss>"
+`;

src/__tests__/atom1.spec.ts

@@ -30,4 +30,15 @@ describe("atom 1.0", () => {
     const actual = sampleFeed.atom1();
     expect(actual).toMatchSnapshot();
   });
+  it("should sanitize enclosure url", () => {
+    sampleFeed.addItem({
+      title: "Hello World",
+      link: "http://example.org/sanitize",
+      enclosure: { url: "https://example.com/hello&world.png" },
+      date: updated,
+    });
+    const actual = sampleFeed.atom1();
+    expect(actual).toMatchSnapshot();
+    expect(actual).toContain('<link rel="enclosure" href="https://example.com/hello&amp;world.png"');
+  });
 });

src/__tests__/rss2.spec.ts

@@ -353,4 +353,15 @@ describe("rss 2.0", () => {
     const actual = sampleFeed.rss2();
     expect(actual).toMatchSnapshot();
   });
+  it("should sanitize enclosure url", () => {
+    sampleFeed.addItem({
+      title: "Hello World",
+      link: "http://example.org/sanitize",
+      enclosure: { url: "https://example.com/hello&world.png" },
+      date: published,
+    });
+    const actual = sampleFeed.rss2();
+    expect(actual).toMatchSnapshot();
+    expect(actual).toContain('<enclosure length="0" type="image/png" url="https://example.com/hello&amp;world.png"/>');
+  });
 });

src/atom1.ts

@@ -226,15 +226,17 @@ const formatAuthor = (author: Author) => {
  */
 const formatEnclosure = (enclosure: string | Enclosure, mimeCategory = "image") => {
   if (typeof enclosure === "string") {
-    const type = new URL(enclosure).pathname.split(".").slice(-1)[0];
-    return { _attributes: { rel: "enclosure", href: enclosure, type: `${mimeCategory}/${type}` } };
+    const sanitizedUrl = sanitize(enclosure);
+    const type = new URL(sanitizedUrl!).pathname.split(".").slice(-1)[0];
+    return { _attributes: { rel: "enclosure", href: sanitizedUrl, type: `${mimeCategory}/${type}` } };
   }
 
-  const type = new URL(enclosure.url).pathname.split(".").slice(-1)[0];
+  const sanitizedUrl = sanitize(enclosure.url);
+  const type = new URL(sanitizedUrl!).pathname.split(".").slice(-1)[0];
   return {
     _attributes: {
       rel: "enclosure",
-      href: enclosure.url,
+      href: sanitizedUrl,
       title: enclosure.title,
       type: `${mimeCategory}/${type}`,
       length: enclosure.length,

src/rss2.ts

@@ -281,12 +281,14 @@ export default (ins: Feed) => {
  */
 const formatEnclosure = (enclosure: string | Enclosure, mimeCategory = "image") => {
   if (typeof enclosure === "string") {
-    const type = new URL(sanitize(enclosure)!).pathname.split(".").slice(-1)[0];
-    return { _attributes: { url: enclosure, length: 0, type: `${mimeCategory}/${type}` } };
+    const sanitizedUrl = sanitize(enclosure);
+    const type = new URL(sanitizedUrl!).pathname.split(".").slice(-1)[0];
+    return { _attributes: { url: sanitizedUrl, length: 0, type: `${mimeCategory}/${type}` } };
   }
 
-  const type = new URL(sanitize(enclosure.url)!).pathname.split(".").slice(-1)[0];
-  return { _attributes: { length: 0, type: `${mimeCategory}/${type}`, ...enclosure } };
+  const sanitizedUrl = sanitize(enclosure.url);
+  const type = new URL(sanitizedUrl!).pathname.split(".").slice(-1)[0];
+  return { _attributes: { length: 0, type: `${mimeCategory}/${type}`, ...enclosure, url: sanitizedUrl } };
 };
 
 /**