Possible XSS - Githubissues

olsh / Feedly-Notifier

Google Chrome, Firefox, Opera and Microsoft Edge extension for reading news from RSS aggregator Feedly

http://olsh.github.io/Feedly-Notifier/

Mozilla Public License 2.0

273 stars 38 forks source link

Possible XSS #162

Closed radimsuckr closed 4 years ago

radimsuckr commented 4 years ago

Describe the bug This article just showed up in my Feedly and the part <script type="module"> of the title didn't show up in the extension. Only the ending question mark was shown.

To Reproduce Steps to reproduce the behavior:

Have 'https://www.vzhurudolu.cz/prirucka/js-moduly' show up in the extension
The part of JS code does not show up in the extension

Expected behavior <script type="module"> is visible in the title.

Desktop (please complete the following information):

OS: Arch Linux
Browser: Firefox
Version: 74.0

olsh commented 4 years ago

Hi @radimsuckr,

Thanks for the reporting 👍

I just checked the RSS and it seems that feedly.com (not extension) removes the tag. Here is the screenshot from feedly.com

Also, here is the raw Feedly API response, without the tag

radimsuckr commented 4 years ago

Hi @olsh, I'm happy to hear that's not a security vulnerability.

I think we can close this since "the mystery" is solved. Thank you!

olsh commented 4 years ago

Yes, we are safe here. https://developer.feedly.com/v3/entries/ According to Feedly API

title Optional string the article’s title. This string does not contain any HTML markup.

Moreover, for Firefox, I do the following trick because otherwise, the extension doesn't pass the review.

https://github.com/olsh/Feedly-Notifier/blob/24aa46eed4615830698462a8c87fc156a4abed6b/src/scripts/popup.js#L124-L128