Fix XSS in /feed

[ildyria]

Summary by CodeRabbit

• New Features

  • RSS feed item summaries now render Markdown-formatted descriptions into HTML/text.

• Bug Fixes

  • Improved JSON feed output to emit categories reliably with proper encoding/escaping.

• Chores

  • Version bumped to 7.5.3 and a migration added to update stored version (includes cache-clear handling).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c47cd84b-e1da-4a46-81ac-f487363ecbd7

📥 Commits

Reviewing files that changed from the base of the PR and between 4b39f19 and cabe88f.

📒 Files selected for processing (1)

• resources/views/vendor/feed/json.blade.php

🚧 Files skipped from review as they are similar to previous changes (1)

• resources/views/vendor/feed/json.blade.php

---

📝 Walkthrough

Walkthrough

Bumps application version to 7.5.3 via a new migration, converts RSS item descriptions from Markdown to HTML for feed summaries, and changes JSON feed tag output to use JSON-encoding instead of manual unescaped string concatenation.

Changes

Cohort / File(s)	Summary
Release Version Update version.md, database/migrations/2026_03_23_162424_bump_version070503.php	Incremented recorded version to 7.5.3 and added a migration that updates configs.version and attempts to clear the cache with error handling and console output.
Feed Content Processing app/Actions/RSS/Generate.php, resources/views/vendor/feed/json.blade.php	Generate::toFeedItem() now converts description (Markdown) to HTML/text for the feed summary; JSON feed template now emits category via @json($item->category) instead of manually joining unescaped strings.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Poem

🐇 I nibble the lines, version hopped to three,
Markdown to blossoms, feeds show what they be.
Tags now behave, JSON tidy and bright,
Cache got a nudge, then sank into night. ✨

🚥 Pre-merge checks | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

resources/views/vendor/feed/json.blade.php (1)

14-15: ⚠️ Potential issue | 🟠 Major

Incomplete escaping for content_html and summary fields.

The current escaping only handles double quotes but misses other JSON-breaking and potentially dangerous characters like backslashes, newlines, and control characters. A malicious description containing \" or \n could break the JSON structure or inject content.

Proposed fix using proper JSON encoding

-            "content_html": "{!! str_replace('"', '\\"', $item->summary) !!}",
-            "summary": "{!! str_replace('"', '\\"', $item->summary) !!}",
+            "content_html": `@json`($item->summary),
+            "summary": `@json`($item->summary),

Note: @json() outputs the full JSON value including quotes, so remove the surrounding ".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2d44e02c-1b7d-4dee-a045-81a39c9fd483

📥 Commits

Reviewing files that changed from the base of the PR and between 33dc575 and 4b39f19.

📒 Files selected for processing (4)

• app/Actions/RSS/Generate.php
• database/migrations/2026_03_23_162424_bump_version070503.php
• resources/views/vendor/feed/json.blade.php
• version.md

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.23%. Comparing base (8ffd8fa) to head (cabe88f).
⚠️ Report is 2 commits behind head on master.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.