<<< Date Index >>>     <<< Thread Index >>>

Re: MagpieRSS XSS 0day



admin@xxxxxxxxxxxxx wrote:
it is a simple fix: htmlentities() around the parsed CDATA.

The problem with this solution is that if the feed contains harmless HTML that's used for formatting, the HTML code becomes visible and the formatting is lost.

A better solution is to strip out HTML tags. Either strip out all tags, or create a whitelist of tags that are allowed and strip out all others (if you want to keep any formatting, links, etc. provided by harmless HTML). Of course, if you do that, you also need to strip out JavaScript handlers (onMouseOver, etc.) since they could also trigger something harmful.

If writing the code to do that sounds too complicated, just use a script that does it for you like CaRP (full disclosure: I'm the author of CaRP).

Antone Roundy