Disagreement · 528e46ce-anthropic-4

RSS escape map omits non-printable control characters that XML 1.0 forbids

solo Opus

repo e24ef98c·PR #10·reviewed 1 week ago

Opus finding

RSS escape map omits non-printable control characters that XML 1.0 forbids

mediumbugmedium

apps/web/lib/rss.ts:6-18

Per the file's own comment, escapeXml must handle every character XML treats as syntactic. XML 1.0 prohibits most C0 control characters (U+0000–U+0008, U+000B, U+000C, U+000E–U+001F). If a finding title or maintainer comment contains such a byte (e.g. a stray \u0001 from an LLM tool output), the resulting XML is malformed and strict parsers (Slack /feed, validator.w3.org) will reject the feed. Source data flows from reviews.title and finding_status.title which are upstream-controllable through GitHub PR metadata indirectly. The comment is therefore aspirational, not accurate.

Recommendation

Extend escapeXml to strip or replace XML-illegal control characters (e.g. /[\x00-\x08\x0B\x0C\x0E-\x1F]/g → '').

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

lowsecurity
Cron Authorization compare on truncated/unicode headers can throw on non-Latin Buffer length mismatch
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗