Bugtraq mailing list archives
Re: MagpieRSS XSS 0day
From: Antone Roundy <electriceel () gmail com>
Date: Mon, 29 Dec 2008 16:24:46 -0600
admin () elites0ft com wrote:
it is a simple fix: htmlentities() around the parsed CDATA.
The problem with this solution is that if the feed contains harmless HTML that's used for formatting, the HTML code becomes visible and the formatting is lost.
A better solution is to strip out HTML tags. Either strip out all tags, or create a whitelist of tags that are allowed and strip out all others (if you want to keep any formatting, links, etc. provided by harmless HTML). Of course, if you do that, you also need to strip out JavaScript handlers (onMouseOver, etc.) since they could also trigger something harmful.
If writing the code to do that sounds too complicated, just use a script that does it for you like CaRP (full disclosure: I'm the author of CaRP).
Antone Roundy
Current thread:
- MagpieRSS XSS 0day admin (Dec 29)
- Re: MagpieRSS XSS 0day Antone Roundy (Dec 30)