admin (at) elites0ft (dot) com [email concealed] wrote:
> it is a simple fix: htmlentities() around the parsed CDATA.
The problem with this solution is that if the feed contains harmless
HTML that's used for formatting, the HTML code becomes visible and the
formatting is lost.
A better solution is to strip out HTML tags. Either strip out all tags,
or create a whitelist of tags that are allowed and strip out all others
(if you want to keep any formatting, links, etc. provided by harmless
HTML). Of course, if you do that, you also need to strip out JavaScript
handlers (onMouseOver, etc.) since they could also trigger something
harmful.
If writing the code to do that sounds too complicated, just use a script
that does it for you like CaRP (full disclosure: I'm the author of CaRP).
> it is a simple fix: htmlentities() around the parsed CDATA.
The problem with this solution is that if the feed contains harmless
HTML that's used for formatting, the HTML code becomes visible and the
formatting is lost.
A better solution is to strip out HTML tags. Either strip out all tags,
or create a whitelist of tags that are allowed and strip out all others
(if you want to keep any formatting, links, etc. provided by harmless
HTML). Of course, if you do that, you also need to strip out JavaScript
handlers (onMouseOver, etc.) since they could also trigger something
harmful.
If writing the code to do that sounds too complicated, just use a script
that does it for you like CaRP (full disclosure: I'm the author of CaRP).
Antone Roundy
[ reply ]