Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivial XSS vulnerabilities #152

Open
Vogtinator opened this issue Jul 12, 2019 · 4 comments
Open

Trivial XSS vulnerabilities #152

Vogtinator opened this issue Jul 12, 2019 · 4 comments

Comments

@Vogtinator
Copy link

Currently the document loaded from the RSS -> JSON converter is directly evaluated as javascript in the global context.

In addition, placeholders such as {url} or {title} do not have any sanitization or escaping capabilities, so if a feed contains something like <script/> tags in its URL or title it's immediately evaluated.

So in the default configuration this can only be used if www.feedrapp.info/the custom server and the RSS feed source are absolutely trusted and loaded over a secure transport.
@sdepold
Copy link
Owner

sdepold commented Sep 29, 2019

I agree. What would you suggest?

@Vogtinator
Copy link
Author

Escaping everything properly before putting it into HTML.

@sdepold
Copy link
Owner

sdepold commented Oct 9, 2019

Did you notice that there is a bodyPlain placeholder which completely removes the html? Is that what you want?

@Vogtinator
Copy link
Author

That has to be the case for all placeholders.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sdepold @Vogtinator