From a32e012dc847b161b2534b9a1fae8db048acf97d Mon Sep 17 00:00:00 2001
From: Wytze van der Raay <wytze@cacert.org>
Date: Sat, 14 Sep 2013 10:18:24 +0000
Subject: [PATCH] Follow-on patch for http://bugs.cacert.org/view.php?id=1190
 "News does not display teaser".

---
 pages/index/0.php | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/pages/index/0.php b/pages/index/0.php
index a2c2e5a..b1359f6 100644
--- a/pages/index/0.php
+++ b/pages/index/0.php
@@ -53,11 +53,16 @@
 
 		$query = "./description";
 		$nodeList = $xpath->query($query, $item);
-		$description = recode_string("UTF8..html" , $nodeList->item(0)->nodeValue);
-
-		printf("<h3> %s </h3>\n", $title);
-		printf("<p> %s </p>\n", $description);
-		printf("<p>[<a href=\"%s\"> %s </a> ] </p>\n\n", $link,_("Full Story"));
+		$description = $nodeList->item(0)->nodeValue;
+		// The description may contain HTML entities => convert them
+		$description = html_entity_decode($description, ENT_COMPAT | ENT_HTML401, 'UTF-8');
+		// Description may contain HTML markup and unicode characters => encode them
+		// If we didn't decode and then encode again, (i.e. take the content
+		// as it is in the RSS feed) we might inject harmful markup
+		$description = recode_string("UTF8..html", $description);
+
+		printf("<h3><a href=\"%s\">%s</a></h3>\n", $link, $title);
+		printf("<p>%s</p>\n", nl2br($description));
 
 		$title = '';
 		$description = '';