jquery-rss icon indicating copy to clipboard operation
jquery-rss copied to clipboard

Published 20 hours ago verified publisher icon sdepold

Trivial XSS vulnerabilities

Open Vogtinator opened this issue 4 years ago • 4 comments

Currently the document loaded from the RSS -> JSON converter is directly evaluated as javascript in the global context.

In addition, placeholders such as {url} or {title} do not have any sanitization or escaping capabilities, so if a feed contains something like <script/> tags in its URL or title it's immediately evaluated.

So in the default configuration this can only be used if www.feedrapp.info/the custom server and the RSS feed source are absolutely trusted and loaded over a secure transport.

Vogtinator avatar Jul 12 '19 19:07 Vogtinator

I agree. What would you suggest?

sdepold avatar Sep 29 '19 11:09 sdepold

Escaping everything properly before putting it into HTML.

Vogtinator avatar Sep 29 '19 11:09 Vogtinator

Did you notice that there is a bodyPlain placeholder which completely removes the html? Is that what you want?

sdepold avatar Oct 09 '19 04:10 sdepold

That has to be the case for all placeholders.

Vogtinator avatar Oct 09 '19 05:10 Vogtinator