Closed GoogleCodeExporter closed 9 years ago
Original comment by ed.summers
on 10 Mar 2010 at 5:55
Original comment by liza31337@gmail.com
on 3 May 2010 at 3:33
Security Considerations
OPDS Catalogs are Atom documents delivered over HTTP and thus subject to the
security considerations found
in Section 15 of [RFC2616] and Section 5 of [RFC4287].
Linked Resources
OPDS Catalogs can contain XML External Entities as defined in Section 4.2.2 of
[REC-xml]. OPDS Catalog
implementations are not required to load external entities. External entities
are subject to the same security
concerns as any network operation and can alter the semantics of an OPDS
Catalog Document. The same
issues exist for Resources linked to by Catalog elements such as atom:link and
atom:content.
URIs and IRIs
OPDS Catalog implementations handle URIs and IRIs. See Section 7 of [RFC3986]
and Section 8 of [RFC3987] for
security considerations related to their handling and use.
Code Injection and Cross Site Scripting
OPDS Catalogs can contain a broad range of content types including code that
might be executable in some
contexts. Malicious publishers could attempt to attack servers or other clients
by injecting code into OPDS
Catalog Documents or OPDS Catalog Entry Documents or Media Resources.
Server implementations are strongly encouraged to verify that external content
is safe prior to aggregating,
processing, or publishing it. In the case of HTML, experience indicates that
verification based on a white list of
acceptable content is more effective than a black list of forbidden content.
Additional information about XHTML and HTML content safety can be found in
Section 8.1 of [RFC4287].
Original comment by abdela...@gmail.com
on 4 May 2010 at 5:05
Original comment by abdela...@gmail.com
on 25 May 2010 at 5:44
Original issue reported on code.google.com by
abdela...@gmail.com
on 10 Mar 2010 at 4:36