Sanitize loc and href in sitemap template (#445)

Co-authored-by: Duncan McClean <duncan@duncanmcclean.com>

Author: strixTheCaptn

src/Sitemap/Page.php

@@ -20,7 +20,7 @@ public function path()
 
     public function loc()
     {
-        return $this->data->get('canonical_url');
+        return htmlspecialchars($this->data->get('canonical_url'), ENT_QUOTES | ENT_XML1, 'UTF-8');
     }
 
     public function lastmod()

src/Sitemap/Sitemap.php

@@ -258,11 +258,11 @@ private function hrefLangsForEntry(Entry $entry): array
             ->filter(fn (Site $site) => $entry->in($site->handle())->published())
             ->reject(fn (Site $site) => collect(config('statamic.seo-pro.alternate_locales.excluded_sites'))->contains($site->handle()))
             ->map(fn (Site $site) => [
-                'href' => $entry->in($site->handle())->absoluteUrl(),
+                'href' => $this->sanitizeUrl($entry->in($site->handle())->absoluteUrl()),
                 'hreflang' => strtolower(str_replace('_', '-', $site->locale())),
             ])
             ->push([
-                'href' => $entry->root()->absoluteUrl(),
+                'href' => $this->sanitizeUrl($entry->root()->absoluteUrl()),
                 'hreflang' => 'x-default',
             ])
             ->all();
@@ -274,13 +274,18 @@ private function hrefLangsForTerm(Term $term): array
             ->values()
             ->reject(fn (Site $site) => collect(config('statamic.seo-pro.alternate_locales.excluded_sites'))->contains($site->handle()))
             ->map(fn (Site $site) => [
-                'href' => $term->in($site->handle())->absoluteUrl(),
+                'href' => $this->sanitizeUrl($term->in($site->handle())->absoluteUrl()),
                 'hreflang' => strtolower(str_replace('_', '-', $site->locale())),
             ])
             ->push([
-                'href' => $term->inDefaultLocale()->absoluteUrl(),
+                'href' => $this->sanitizeUrl($term->inDefaultLocale()->absoluteUrl()),
                 'hreflang' => 'x-default',
             ])
             ->all();
     }
+
+    private function sanitizeUrl(string $url): string
+    {
+        return htmlspecialchars($url, ENT_QUOTES | ENT_XML1, 'UTF-8');
+    }
 }

tests/SitemapTest.php

@@ -489,6 +489,35 @@ public function it_outputs_additional_items()
 
         $this->assertCount(8, $this->getPagesFromSitemapXml($content));
     }
+
+    #[Test]
+    public function it_sanitizes_special_characters()
+    {
+        Sitemap::hook('additional', function ($payload, $next) {
+            $payload->items->push((new Page)->with([
+                'canonical_url' => url('\'"<>&'),
+                'last_modified' => Carbon::parse('2025-01-01'),
+                'change_frequency' => 'monthly',
+                'priority' => 0.5,
+            ]));
+
+            return $next($payload);
+        });
+
+        $this
+            ->get('/sitemap.xml')
+            ->assertOk()
+            ->assertHeader('Content-Type', 'text/xml; charset=UTF-8')
+            ->assertSeeInOrder([
+                '<url>',
+                '<loc>http://cool-runnings.com/&apos;&quot;&lt;&gt;&amp;</loc>',
+                '<lastmod>2025-01-01</lastmod>',
+                '<changefreq>monthly</changefreq>',
+                '<priority>0.5</priority>',
+                '</url>',
+                '</urlset>',
+            ], escape: false);
+    }
 }
 
 class CustomSitemap extends Sitemap