3 files changed, 10 insertions, 6 deletions

diff --git a/feed.php b/feed.php
index 7803982b8..73fa0e05f 100644
--- a/feed.php
+++ b/feed.php
@@ -322,14 +322,15 @@ function rss_buildItems(&$rss, &$data, $opt) {
                         $rev  = $revs[0];
 
                         if($rev) {
-                            $df = new Diff(explode("\n", htmlspecialchars(rawWiki($id, $rev))),
-                                           explode("\n", htmlspecialchars(rawWiki($id, ''))));
+                            $df = new Diff(explode("\n", rawWiki($id, $rev)),
+                                           explode("\n", rawWiki($id, '')));
                         } else {
                             $df = new Diff(array(''),
-                                           explode("\n", htmlspecialchars(rawWiki($id, ''))));
+                                           explode("\n", rawWiki($id, '')));
                         }
 
                         if($opt['item_content'] == 'htmldiff') {
+                            // note: no need to escape diff output, TableDiffFormatter provides 'safe' html
                             $tdf     = new TableDiffFormatter();
                             $content = '<table>';
                             $content .= '<tr><th colspan="2" width="50%">'.$rev.'</th>';
@@ -337,8 +338,9 @@ function rss_buildItems(&$rss, &$data, $opt) {
                             $content .= $tdf->format($df);
                             $content .= '</table>';
                         } else {
+                            // note: diff output must be escaped, UnifiedDiffFormatter provides plain text
                             $udf     = new UnifiedDiffFormatter();
-                            $content = "<pre>\n".$udf->format($df)."\n</pre>";
+                            $content = "<pre>\n".hsc($udf->format($df))."\n</pre>";
                         }
                     }
                     break;
diff --git a/inc/DifferenceEngine.php b/inc/DifferenceEngine.php
index e0fbf8e03..783d6bea5 100644
--- a/inc/DifferenceEngine.php
+++ b/inc/DifferenceEngine.php
@@ -1004,6 +1004,8 @@ class InlineWordLevelDiff extends MappedDiff {
  * "Unified" diff formatter.
  *
  * This class formats the diff in classic "unified diff" format.
+ *
+ * NOTE: output is plain text and unsafe for use in HTML without escaping.
  */
 class UnifiedDiffFormatter extends DiffFormatter {
 
diff --git a/inc/subscription.php b/inc/subscription.php
index 2989de032..4248e4b11 100644
--- a/inc/subscription.php
+++ b/inc/subscription.php
@@ -408,8 +408,8 @@ class Subscription {
             $tdiff = $dformat->format($df);
 
             $DIFF_INLINESTYLES = true;
-            $df = new Diff(explode("\n", hsc($old_content)),
-                           explode("\n", hsc($new_content)));
+            $df = new Diff(explode("\n", $old_content),
+                           explode("\n", $new_content));
             $dformat = new InlineDiffFormatter();
             $hdiff = $dformat->format($df);
             $hdiff = '<table>'.$hdiff.'</table>';