From df4bd6236c7ae004ddc41461f45af565c18670e6 Mon Sep 17 00:00:00 2001
From: ahuininga-orisha <>
Date: Thu, 28 May 2026 15:48:42 +0200
Subject: [PATCH] fix: strip non-XML output from feed response to prevent
 script tag injection

---
 Controller/Feed/Export.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Controller/Feed/Export.php b/Controller/Feed/Export.php
index 6aa37e5..8970e30 100644
--- a/Controller/Feed/Export.php
+++ b/Controller/Feed/Export.php
@@ -114,6 +114,17 @@ public function execute(): Response
             $store = $this->storeManager->getStore($storeId);
         }
 
+        // Discard any output already buffered by other modules (e.g. Stape GTM setting
+        // cookies) before we start streaming the XML feed. Without this, buffered garbage
+        // can be flushed to the client ahead of the <?xml declaration, producing an invalid
+        // feed. We then set the Content-Type header explicitly since headers may not have
+        // been sent yet, and FeedContent writes directly to php://output bypassing OB.
+        while (ob_get_level()) {
+            ob_end_clean();
+        }
+
+        header('Content-Type: application/xml; charset=UTF-8');
+
         // @phpstan-ignore-next-line
         (new FeedContent($this->export, $this->log, $this->driver, $store, $request->getParam('type')))->__toString();