Details
-
Suggestion
-
Resolution: Won't Fix
-
None
-
1
-
Description
A great improvement for RSS macros would be to implement "cleansing" or "sanitization" of external RSS feeds. This may be something that is configured at the admin level or in the macro level – I'd prefer it to be a global admin requirement. Having externally linked content is a security risk, and for that Atlassian should be commended for the Whitelist function. But the risk remains that malicious content could be brought in through a whitelisted feed.
There are plenty of projects that are dedicated to aggregation, modification, and security sanitization of RSS content. http://simplepie.org/ is an example of the various projects that do this. The existing tools sanitize the RSS feeds by stripping out entire tags which are insecure as well as individual attributes of otherwise secure tags which may be insecure. Depending on how the projects are licensed and Atlassian's policies for inclusion of third-party code, this may be a fairly simple feature to implement.
Attachments
Issue Links
- relates to
-
CONFSERVER-34009 Flash content-type sniffing allows Cross Site Data Hijacking
- Closed