Forum .LRN Q&A: Re: news-aggregator portlet error
3: Re: news-aggregator portlet error (response to 1)
Posted by Felipe Gelbcke Gubert on 03/15/04 07:28 PM
Same with weblog... (if you post a link)
solves the problem
4: Re: news-aggregator portlet error (response to 3)
Posted by Jeff Davis on 03/15/04 07:51 PM
You need to be careful making things like that noquote since if someone were to put something like the following: in
<img src="http://yoursite.com/admin/grant-admin?user_id=eviluser">in an aggregated feed you read on yoursite.com. When you went to read it, it would get the url which would grant sitewide admin to thier user_id on your site.
In general, anything that comes from the outside needs to be checked for XSS and allowed tags before it is displayed.