XML External Entity (XXE) Vulnerability in Latest Release

Hi, I would like to report XML External Entity (XXE) vulnerability in latest release.
Description:
XML External Entity (XXE) vulnerability in quokka/utils/atom.py 157 line and auokka/core/content/views.py 94 line, Because there is no filter authors, title.
Steps To Reproduce:
1.Create a article, title and authors can insert XML payload.
2.Open the url: 
http://192.168.100.8:8000/author/{author}/index.rss
http://192.168.100.8:8000/author/{author}/index.atom
can see the title and authors has inserted into the XML.
![3](https://user-images.githubusercontent.com/8274796/54741363-333bae80-4bf9-11e9-900a-95ba75160efd.png)
![4](https://user-images.githubusercontent.com/8274796/54741364-359e0880-4bf9-11e9-9ea7-a279fc4c329a.png)
![5](https://user-images.githubusercontent.com/8274796/54741369-38006280-4bf9-11e9-8b29-53481fdcb1d1.png)

author by jin.dong@dbappsecurity.com.cn

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XML External Entity (XXE) Vulnerability in Latest Release #676

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

XML External Entity (XXE) Vulnerability in Latest Release #676

Description

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions