jquery-rss
jquery-rss copied to clipboard
Trivial XSS vulnerabilities
Currently the document loaded from the RSS -> JSON converter is directly evaluated as javascript in the global context.
In addition, placeholders such as {url}
or {title}
do not have any sanitization or escaping capabilities, so if a feed contains something like <script/>
tags in its URL or title it's immediately evaluated.
So in the default configuration this can only be used if www.feedrapp.info/the custom server and the RSS feed source are absolutely trusted and loaded over a secure transport.
I agree. What would you suggest?
Escaping everything properly before putting it into HTML.
Did you notice that there is a bodyPlain placeholder which completely removes the html? Is that what you want?
That has to be the case for all placeholders.