Advanced Cookie consent rendered in RSS

K

Kirby

Well-known member
Licensed customer
Affected version
2.3.10
When XenForo rends BBCode into HTML for RSS int might inject coe for cookie Consent:
Code: 
<item>
      <title>XF2 [8WR] XenRio 2 (Streams) PRO [Paid]</title>
      <pubDate>Sun, 22 Mar 2026 20:39:01 +0000</pubDate>
      <link>https://xenforo.com/community/threads/xf2-8wr-xenrio-2-streams-pro-paid.140206/</link>
      <guid isPermaLink="false">140206</guid>
      <author>invalid@example.com (Jaxel)</author>
      <category domain="https://xenforo.com/community/forums/add-on-releases-2-x.95/"><![CDATA[Add-on releases [2.x]]]></category>
      <dc:creator>Jaxel</dc:creator>
      <content:encoded><![CDATA[<div class="bbWrapper">Jaxel submitted a new resource:<br />
<br />
<a href="https://xenforo.com/community/resources/xf2-8wr-xenrio-2-streams-pro.6024/" class="link link--internal">XF2 [8WR] XenRio 2 (Streams) PRO</a> - Live stream scraper and browser. Add-on from 8WAYRUN.<br />
<br />




<blockquote data-attributes="" data-quote="" data-source=""
    class="bbCodeBlock bbCodeBlock--expandable bbCodeBlock--quote js-expandWatch">
   
    <div class="bbCodeBlock-content">
       
        <div class="bbCodeBlock-expandContent js-expandContent ">
            <b><span style="color: rgb(184, 49, 47)">BRANDING REMOVAL</span></b> can be purchased <a href="http://8wayrun.fetchapp.com/sell/752f3415" target="_blank" class="link link--external" rel="nofollow ugc noopener"><b>HERE</b></a>:<br />
<br />
This is a complete rewrite of my popular live streaming scraper for XenForo. XenRio periodically scrapes various APIs in order to keep your users informed of the currently live broadcasts relevant to your community. <br />
<br />
<b>Demo</b>:<br />
<br />
<div style="margin-left: 40px"><form action="/community/misc/cookies?update=1&amp;add=1" method="post" class="bbMediaJustifier"
                 data-xf-init="cookie-consent-form ajax-submit" data-redirect="off" data-media-site-id="youtube" data-media-key="guJK3MgvZQE"
            >
                <input type="hidden" name="_xfToken" value="1774272202,dd9e6d6918d2066b8509f74dc0e7d3b6" />
               

        <div class="block-rowMessage block-rowMessage--alt">
            <div class="u-dimmed u-smaller">
                To view this content we will need your consent to set third party cookies.<br>
For more detailed information, see our <a href="/community/help/cookies">cookies page</a>.

            </div>
            <div class="u-inputSpacer">
                <button type="submit" class="button button--small"><span class="button-text">Accept third party cookies</span></button>
            </div>

            <input type="hidden" name="consent[_third_party]" value="1" />
            <input type="hidden" name="_xfRedirect" value="" />
        </div>

       
            <template class="js-embedHtml"><div class="bbMediaWrapper" data-media-site-id="youtube" data-media-key="guJK3MgvZQE">
    <div class="bbMediaWrapper-inner">
        <iframe src="https://www.youtube.com/embed/guJK3MgvZQE?wmode=opaque"
                loading="lazy"
                width="560" height="315"
                frameborder="0" allowfullscreen="true"></iframe>
    </div>
</div></template>
       

            </form>&#8203;</div><br />
<b>Basic...</b>
        </div>
        <div class="bbCodeBlock-expandLink js-expandLink"><a role="button" tabindex="0">Click to expand...</a></div>
    </div>
</blockquote><br />
<a href="https://xenforo.com/community/threads/xf2-8wr-xenrio-2-streams-pro-paid.140206/" class="link link--internal">Read more</a></div>]]></content:encoded>
      <slash:comments>766</slash:comments>
    </item>

Specifically this part
Code: 
<div style="margin-left: 40px"><form action="/community/misc/cookies?update=1&amp;add=1" method="post" class="bbMediaJustifier"
                 data-xf-init="cookie-consent-form ajax-submit" data-redirect="off" data-media-site-id="youtube" data-media-key="guJK3MgvZQE"
            >
                <input type="hidden" name="_xfToken" value="1774272202,dd9e6d6918d2066b8509f74dc0e7d3b6" />
               

        <div class="block-rowMessage block-rowMessage--alt">
            <div class="u-dimmed u-smaller">
                To view this content we will need your consent to set third party cookies.<br>
For more detailed information, see our <a href="/community/help/cookies">cookies page</a>.

            </div>
            <div class="u-inputSpacer">
                <button type="submit" class="button button--small"><span class="button-text">Accept third party cookies</span></button>
            </div>

            <input type="hidden" name="consent[_third_party]" value="1" />
            <input type="hidden" name="_xfRedirect" value="" />
        </div>

       
            <template class="js-embedHtml"><div class="bbMediaWrapper" data-media-site-id="youtube" data-media-key="guJK3MgvZQE">
    <div class="bbMediaWrapper-inner">
        <iframe src="https://www.youtube.com/embed/guJK3MgvZQE?wmode=opaque"
                loading="lazy"
                width="560" height="315"
                frameborder="0" allowfullscreen="true"></iframe>
    </div>
</div></template>
       
   
               
            </form>
obviously doesn't work as URLs like /community/help/cookie are relative, there is no XenForo JS, etc.

Suggested Fix
Ignore consent status when rendering for RSS and render as if consented.
 

Similar threads

M
Advanced cookie consent redirects away from password reset process
Replies
0
Views
27
mattrogowski
M
Back
Top Bottom