Re: MagpieRSS XSS 0day

[Antone Roundy <electriceel () gmail com>]

admin () elites0ft com wrote:
> it is a simple fix: htmlentities() around the parsed CDATA.

The problem with this solution is that if the feed contains harmless 
HTML that's used for formatting, the HTML code becomes visible and the 
formatting is lost.

A better solution is to strip out HTML tags.  Either strip out all tags, 
or create a whitelist of tags that are allowed and strip out all others 
(if you want to keep any formatting, links, etc. provided by harmless 
HTML).  Of course, if you do that, you also need to strip out JavaScript 
handlers (onMouseOver, etc.) since they could also trigger something 
harmful.

If writing the code to do that sounds too complicated, just use a script 
that does it for you like CaRP (full disclosure: I'm the author of CaRP).

Antone Roundy