RSS security
2003-06-13 16:29:57.995905+00 by
Dan Lyke
8 comments
I'm not even going to bother trying to find the mailing list archives,
and probably weblog entries, where I pointed out that RSS as most
aggregators implement it has some severe security issues. But it has
been years. Well, Mark
finally pointed out the flaws in most aggregators.
Entity encoding HTML in XML has always been a freakin'
bad idea, especially for all those people who've been saying
"HTML is hard to parse" while they've been pushing the lameness that
is RSS. All the aggregator writers have known about the possibilities
of this situation for a long time, and sometimes it takes a
wide-spread demonstration to piss off the customers so that the
vendors fix their stuff.
[ related topics:
Web development Content Management Weblogs
]
comments in ascending chronological order (reverse):
#Comment made: 2003-06-13 23:42:05.345557+00 by:
Mark A. Hershberger
All the aggregator writers didn't implement HTML in full, though, so some escaped.
(notably: nnrss which uses w3m or w3.el for rendering text/html).
And this isn't just about Entity Encoding. Some RSS feeds included un-escaped XHTML.
The bad idea here is allowing tainted data (to use Perl-speak) to reach the user.
#Comment made: 2003-06-16 07:21:36.069217+00 by:
Shawn
I'd agree. One of the reasons I don't use Flutterby's RSS feed is because of the lack of HTML links. Some HTML is useful and therefore good, IMO. But accounting for possible malicious code is important as well.
I don't think the answer is to prohibit HTML and more than I think the answer to pop-ups is to disable Javascript entirely.
#Comment made: 2003-06-16 10:24:42.445066+00 by:
Dan Lyke
Shawn, try http://www.flutterby.com/mainlong.rdf
I haven't gone public with it yet 'cause I'm not sure all the bugs are worked out, but it should be roughly the Flutterby feed with RSS1.0 and escaped HTML. Obviously my HTML is pretty well cleaned up, so I think it's safe. A few more folks testing it and I'll mention it on the front page.
Just dropping in, the net from here is atrocious and through a proxy server that I don't necessarily... well, you know.
#Comment made: 2003-06-17 16:11:16.461684+00 by:
meuon
Trust NOTHING while you are outside of the country.. and less while you are in it.
#Comment made: 2003-06-18 23:32:23.252585+00 by:
Shawn
[edit history]
Dan; in general it looks good. Or, more accurately, it looks like what I'd like to see. There is a bit of formatting strangeness (my aggregator client is using an embedded IE control/object) and don't forget that the local protocol:domain is going to be used by whatever the client is. Several images aren't showing because their src's resolve to the local filesystem for the server/domain.
One of the reasons I'm asking about the codebase is because I want to experiement with having an XML back-end drive everything, with the main page being built with XSLT.
#Comment made: 2003-06-19 00:47:02.853274+00 by:
Dan Lyke
Whoops. Forgot that even though the HTML is known clean at that point, URLs aren't normalized. Something else for the "when I get back" list.
I've stayed away from the monstrosity that is XSLT, but since my tools can easily create XHTML it should be simple to figure the right pipeline from that through XSLT. Okay, I should only sleep 6 hours or so on the plane back, I'll see if I can get enough set up that I can hit "go" and create the Flutterby.net site quickly.
(Of course that's assuming I don't have a nice Hong Kong woman sitting next to me on the plane who notices I'm practicing drawing my Chinese characters and extends that into "Oh, you want to learn Cantonese? Let's work on pronunciation...". Fun and interesting, but interferes with the schedule.)
#Comment made: 2003-06-19 01:37:41.869879+00 by:
Shawn
[edit history]
Oh, don't rush on my account. This isn't critical for me at the moment. RSSing the other stuff I want to read frees up time for me to spend directly on the Flutterby website anyway ;-)
What I'd really like to see out of RSS is a way to show the [new?] comments. I'm not even sure how to approach that at the moment, however. My long-range thinking is that I'll tackle that eventually if I get into blogging/RSS myself.
XSLT is kinda cool, even if it adds another level of bloat. I haven't played with it enough yet to make a determination as to it's true usefulness, though.
#Comment made: 2003-06-22 05:58:15.33998+00 by:
Shawn
Now that I'm using the new feed you're working on I'm remeinded that I really would like to see the inclusion of the author of each piece. I don't clue into who somebody is just from their writing style the way you've mentioned you do.