fix: escape XML-unsafe characters in RSS feed output (#28)

The RSS feed interpolates author names directly into XML without
escaping. An author name containing < > & or other XML metacharacters
produces malformed XML that breaks RSS readers.

Also encode slug in URLs with encodeURIComponent for safety.

Add an escapeXml helper and apply it to the author field; use
encodeURIComponent for slug in link/guid URLs.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: FuturMix

apps/web/app/blog/rss.xml/route.ts

@@ -4,6 +4,15 @@ import { getDb } from '@/lib/db';
 
 const BASE = 'https://c0upons.com';
 
+function escapeXml(str: string): string {
+  return str
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+}
+
 export async function GET() {
   let posts: Array<{ slug: string; title: string; excerpt: string | null; published_at: string; author: string | null }> = [];
 
@@ -23,10 +32,10 @@ export async function GET() {
   const items = posts.map((p) => `
     <item>
       <title><![CDATA[${p.title}]]></title>
-      <link>${BASE}/blog/${p.slug}</link>
-      <guid isPermaLink="true">${BASE}/blog/${p.slug}</guid>
+      <link>${BASE}/blog/${encodeURIComponent(p.slug)}</link>
+      <guid isPermaLink="true">${BASE}/blog/${encodeURIComponent(p.slug)}</guid>
       ${p.excerpt ? `<description><![CDATA[${p.excerpt}]]></description>` : ''}
-      ${p.author ? `<author>${p.author}</author>` : ''}
+      ${p.author ? `<author>${escapeXml(p.author)}</author>` : ''}
       <pubDate>${new Date(p.published_at).toUTCString()}</pubDate>
     </item>`).join('');