XSS vulnerable

[GoogleCodeExporter]

(copied over from the old SF system)

I have test magpierss, i find the issue xss when
magpierss show the data in the someone rss or atom file.

More exactly in the "title" item, if rss or atom file
content:

case 1:
<title><![CDATA[[ <script
language="javascript">alert('XSS');</script> ]]></title>

result:
show alert

case2:
<title><![CDATA[ &lt;script
language=&quot;javascript&quot;&gt;alert(&quot;XSS&quot;);&lt;/script&gt;
]]></title>

result:
don't show nothing

case3:
<title> &lt;script
language=&quot;javascript&quot;&gt;alert(&quot;XSS&quot;);&lt;/script&gt;
</title>

result:
show alert

case4:
<title> <script
language="javascript">alert('XSS');</script> </title>

result:
nothing, magpierss don't take this sintaxis =)

magpierss show the code not escaped, or using
htmlentities() for title text.

I don't know if magpierss will be escaped this code, or
only the application that use magpierss.

may be this issue repeat in the other's places the xml
structure, author, link, uid, etc., etc..

sorry my english is bad =P.
greetings.

Original issue reported on code.google.com by kel...@gmail.com on 16 Oct 2006 at 6:20

[GoogleCodeExporter]

It seems to me that magpierss should to return content without any changes. 
Application should remind about possible attac. IMHO.
Dmitr.

Original comment by kach...@gmail.com on 17 Nov 2006 at 2:30

[GoogleCodeExporter]

http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely

SimplePie provides configurable tag/attribute stripping, with a sensible set of 
defaults.

Original comment by sky...@gmail.com on 28 Nov 2006 at 1:28

[GoogleCodeExporter]

I agree with kaclev and I simply use HTML Purifier <http://htmlpurifier.org/>

Original comment by cubegames on 26 Jun 2007 at 6:49