Stored XSS vulnerability in RSS Feeds Description field

## Intro "Pirates of the Crayons" __Type of issue__: Core CMS issue __Level of severity__: Internal Attack Vector __Concrete5 version__: 8.2.0 RC2 rev. b54f2b451f0a0804699c4cf9f0b3a8fef0e407db (July 10th) ## Summary There is Stored XSS vulnerability in RSS Feeds ```Description``` property. Value of the textarea is not properly sanitized and malicious JavaScript code can be saved and executed every time user visits Feed screen. ## Steps to reproduce - log in to concrete5 instance - go to RSS Feeds and click on Add Feed button - in feed ```Description``` textarea put following payload: ```html Description </textarea> <script>alert('XSS!')</script> ``` {F201814} - click ```Add``` button Now, select added feed from ```RSS Feeds``` list. JavaScript payload will execute. {F201813} ## Impact Although this issue has no such big impact as previously reported by Corben Douglas (@sxcurity) report https://hackerone.com/reports/221380 (Stored XSS in RSS Feeds Title (Concrete5 v8.1.0)) because it requires user to enter into feed edit form - this issue introduces internal attack vector on any concrete5 user as well. ## Testing environment System: - Concrete5 version 8.2.0 RC2, commit b54f2b451f0a0804699c4cf9f0b3a8fef0e407db (July 10th), installed localy - PHP ver. 5.6.30 - Apache HTTP Server 2.4.25 for macOS - MySQL ver. 5.7.13 for macOS This vulnerability was tested on macOS Sierra 10.12.5 with following browsers: - Chrome 59.0.3071.115 - Chromium build 61.0.3131.0 - Opera 46.0.2597.32 ## Wrap up I hope my report will help keep Concrete5 safe in the future. Best Regards, Rafal 'bl4de' Janicki