Forum .LRN Q&A: Re: news-aggregator portlet error

Collapse
Posted by Felipe Gelbcke Gubert on
Same with weblog... (if you post a link)

@entries-content@

@entries-content;noquote@

solves the problem

Collapse
Posted by Jeff Davis on
You need to be careful making things like that noquote since if someone were to put something like the following: in
<img src="http://yoursite.com/admin/grant-admin?user_id=eviluser">
in an aggregated feed you read on yoursite.com. When you went to read it, it would get the url which would grant sitewide admin to thier user_id on your site.

In general, anything that comes from the outside needs to be checked for XSS and allowed tags before it is displayed.