Some RSS readers are vulnerable to security exploits and other annoyances embedded in RSS/XML feeds. This morning, Phil showed me a proof-of-concept sample for Newsgator, the Outlook-based RSS reader, triggered by VBScript code in an RSS feed that e-mails a random person in your Outlook address book.
Other readers may not be vulnerable to Outlook-style hacks, but they can still be screwed up by Javascript. Try subscribing to this RSS feed I created with your reader of choice. Syndirella displays the popup window and crashes on the Javascript alerts. How about other readers?
Just to be clear, I’m not saying this is a serious issue. Users only subscribe to trusted RSS feeds, and feed providers are extremely unlikely to put malicious code in their feeds. It’s just interesting that it works.
I subscribed to the test feed via NetNewsWire, and was able to read all the entries with no apparent effects.
I have posted comments related to NewsGator and this issue at http://www.newsgator.com/news/archive.aspx?post=3.
I noted this over on RSS-DEV and even made an amendment to the RSS 1.0 spec describing the problem.
The RSS-DEV team made a (bad) decision that it wasn’t important enough to include in the spec.
What was the change that you proposed?
Radio Userland 8.0.8/XP reads it fine.
No pop-ups, btw.
As Kevin said, this problem has been known for some time. The RSS validator will even warn if a feed containing potentially harmful HTML elements. (Please, no followups saying the validator should separately report warnings and errors. It’s coming eventually.)
http://feeds.archive.org/validator/check?url=http%3A%2F%2Fwww.waxy.org%2Frandom%2Ftext%2Fevil_rss.rdf
http://feeds.archive.org/validator/docs/warning/ContainsScript
Another, more subtle issue is the one of security zones. Browsers like Internet Explorer carve up the world into zones, and allow you to assign different security policies to each. But browser-based aggregators like Radio and Amphetadesk subvert this by pulling in remote content and republishing it in the local zone. So even if you’ve disabled active scripting for remote web sites, chances are your local 127.0.0.1:8888 or :5335 address is in the local (trusted) zone and has scripting enabled.
I wouldn’t necessarily classify this as a bug; the programs are functioning as designed, but the design has (possibly unintended) consequences, that’s all.
The latest build of Syndirella, 20030311, filters JavaScript from RSS description elements, so it should not be vulnerable to the simpler exploits.