script tag in entry content is not stripped out #723
Comments
|
Please read this: https://github.com/owncloud/news#bugs |
|
The feed is a valid Atom 1.0 feed. Bug is also happen on supported browser: |
|
Does it happen only with this particular feed? Do you mind to share the feed address? |
|
Hmm, bug seems to happen only with this specific feed. Here a screenshot how other feed reader render this code: Anyway I send you @cosenal a mail with the feed so you can test it. |
|
Thanks a lot. I will have a look |
|
It's a valid feed, but so many warnings! Anyway, it looks like we don't strip out the I created a demo feed with the same issue: |
cosenal
changed the title
|
Hm we run it through two sanitizers and it's quite a trivial thing to sanitize. Will take a look next week once I'm back from holidays |
|
PS, not a security issue since the script tag is converted to text, can confirm the bug. Actually why the fuck are these guys serving a script tag in their feeds xD? Are they trying to XSS their subscribers? |
|
You're right, no security issue (my link to w3 was just to explain what a reader is supposed to do). Also, I have no idea why their feeds suck so much, I run the OP's feed through w3 validator and it counts more than a thousand warnings! |
|
It works perfectly on OP's feed. Thanks! |
I have install ownCloud 8, Opera 27.0 and install all Dependencies.
When I read a article from a feed I see some not nice code, that I don't see on other feed reader like tiny-tiny.
The Bug depend not only the web client, I have the same issue on my mobile client so I think it is problem here.
The text was updated successfully, but these errors were encountered: