Re: [syndication] Syndication of javascript: urls as a security window?

[Jim Winstead <jimw-yahoo@trainedmonkey.com>]

On Wed, Feb 27, 2002 at 03:40:28PM -0800, Brian Aker wrote:
> On Wed, 2002-02-27 at 15:10, burton@openprivacy.org wrote:
> > This somethingBad() could be a one line Javascript to get cookes and
> > to create a URL with this info an post to a site.
> > 
> > We should document this somewhere and incourage aggregators to remote
> > javascript: urls.
>
> We fixed this on Slashdot some time ago. We never had anyone do it, but
> we considered it just a matter of time till someone did. I imagine that
> it is one of those exploits that are just waiting to bite a number of
> people.

with rss 0.92, the problem is likely compounded. a naive aggregator
could do bad things with an entry like:

  <item>
   <description>&lt;script&gt;window.close()&lt;/script&gt;</description>
  </item>

a news aggregation page that closes the window every time you load it
probably wouldn't be very much fun.

jim