Skip to content

RSS Link input is vulnerable to HTML injection #1

New issue
New issue
Open
Open
RSS Link input is vulnerable to HTML injection#1
@tankeehock

Description

@tankeehock
tankeehock
opened on May 1, 2024

When the reader ingests the RSS feed, it attempts to parse the XML content. However the use of CDATA within the Link element can be used to perform HTML injection. A simple payload will look like this: <![CDATA[ https://google.com"> <img src="1"> ]]>.

Recommend to escape the characters before displaying to the user.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions