RSS and Web Feeds a Risk? 94
A followup whitepaper [PDF] to a
recent talk at the blackhat security conference has been released outlining the risks associated with web based feeds such as RSS and Atom. From the article: "Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said."
Re:Old technique, new medium (Score:5, Interesting)
So in the real world, a lot of sensible developers understand the problem with risky external input, although lots of baby-developers haven't had enough experience to get jaded and never trust users. Security thoughts come from age and being cynical.
But either way, the Web2.0 look irks me
Color me stupid... (Score:5, Interesting)
And, as someone above suggested, what the hell is a "Web 2.0" RSS feed? Even if I used AJAX to make a nice-n-pretty UI for my blog, that still wouldn't explain why I would use JavaScript for my RSS feed.
Re:Huh? (Score:3, Interesting)
Re:Huh? (Score:3, Interesting)
The second issue is with the "allowed tags" attribute of strip_tags. You may think to yourself that allowing , , tags, etc. is pretty harmless. Except that there's still no checking on the attributes of those tags. I can include a mouse over me! and strip_tags will happily allow that through and you think you're safe by only allowing a couple of harmless tags.
This whole article is just another example of blaming the technology instead of the shitty programmers who implement it.
---John Holmes...
Re:Huh? (Score:2, Interesting)
The second issue is with the "allowed tags" attribute of strip_tags. You may think to yourself that allowing <b>, <i>, <strong> tags, etc. is pretty harmless. Except that there's still no checking on the attributes of those tags. I can include a <b onmouseover="whatever_javascript();">mouse over me!</b> and strip_tags will happily allow that through and you think you're safe by only allowing a couple of harmless tags.
This whole article is just another example of blaming the technology instead of the shitty programmers who implement it.
---John Holmes...