[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [syndication] Syndication of javascript: urls as a security window?
In article <20020228000835.GA17494@trainedmonkey.com>, Jim Winstead
<jimw-yahoo@trainedmonkey.com> writes
>with rss 0.92, the problem is likely compounded. a naive aggregator
>could do bad things with an entry like:
>
> <item>
> <description><script>window.close()</script></description>
> </item>
>
>a news aggregation page that closes the window every time you load it
>probably wouldn't be very much fun.
This is trivial to deal with in PHP using the strip_tags (string str [,
string allowable_tags]) function. Drupal routinely limits the data to an
allowed set of tags before saving it. I did the same thing in my Delphi
desktop aggregator, although I had to write the function first.
Displaying the entire description as delivered is risky. But then it's
no more risky than visiting web sites and viewing them. If nothing else
It's desirable to clean up the data to avoid badly coded <table>s and
such like from screwing around with your display.
The most annoying tag is <pre>. It does no real harm, but can make your
display much too wide. One of the weblogs I was reading had a really
wide piece of source code and it hung around in their RSS for much
longer than my cache, so every couple of weeks it would turn up again. I
think eventually, I just stopped reading that site.
--
Julian Bond email: julian_bond@voidstar.com
CV/Resume: http://www.voidstar.com/cv/
WebLog: http://www.voidstar.com/
M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
ICQ:33679568 tag:So many words, so little time