Consuming RSS Safely

Joe Gregorio

The only reason users of Aggie didn’t get bit by Mark’s prank is that he put the rogue style attribute in the description element and not the content:encoded element. So Aggie, while is does strip object, meta and script tags, is still vulnerable to this kind of hack. A new version of Aggie will be posted when I have this fixed.

I don’t think that’s true, Joe. The Aggie parser folds content:encoded into description, if it finds any. (I already have the code that does the same for the Sam Ruby/Don Box xhtml tag, it’s just not checked in.) In any case, all such contents is checked for these tags, so I don’t see a reason to make any modifications.

Posted by Ziv Caspi on 2003-06-12

I didn’t think we removed style attributes. Time to do some testing.

Posted by Joe on 2003-06-13

comments powered by Disqus