Don't Follow the Script

When his weblog moved in March, Michael Fioritto put JavaScript in the first item of his RSS feed to redirect visitors to his new site.

The news aggregator AmphetaDesk read the script tag and executed the redirect, making it impossible for me to use the software until I unsubscribed from his feed, which probably wasn't the effect he was going for.

An aggregator that doesn't strip out script and other dangerous tags is a security exploit waiting to happen.

Rss · Javascript · 2004/10/08 · 3 COMMENTS · Link

Comments

Let me wildly disagree. It doesn't matter what you do, somebody will always find an exploit. Javascript is generally safe. If the aggregator fails because of the javascript, then it's not a good aggregator. MHO. A great aggregator can display Javascript, w/out a worry.

#1 · Randy Charles Morin · 2004/10/08

Even if you leave off the possibility of JavaScript exploits, there's still a lot of undesirable things that can be done with scripting, such as the redirect I described. I couldn't use Amphetadesk unless I unsubscribed to his feed.

#2 · Rogers Cadenhead · 2004/10/08

That happen because the javascript was probably redirecting the index.html to the new website. If you use the template AmphetaFrames (www.sunpig.com) instead of he default that won't happen. The only feed that gets redirected is the one that has the javascript, the others can still be red.

#3 · Américo Albuquerque · 2004/10/08

Add a Comment

All comments are moderated before publication. These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).

Microsoft Bob icon

Rogers Cadenhead

Social Media

Mastodon

Mastodon

Subscriptions

Workbench RSS feed RSS Feed

Blogroll

Projects

Statistics

Line drawing of cowboy on horse

This blog has been published since Nov. 7, 1999 (a span of 8,930 days).

Thank you for visiting Workbench.

Drawing of an owl with glasses reading a book