Microsoft's RSS Team comments on all the security stuff:

Sanitization: First, the Windows RSS Platform uses several techniques to strip out script (and several other variations of malicious HTML) before storing the feed content.

Great, except, uhm, its a horrible plan. The only way to really sanitize HTML input is to rebuild it into a DOM, and apply a whitelist of allowed HTML tags and attributes. Once that is done, re-render the DOM. All 'strip' techniques will fail, sooner or later.




Share