Script in Feeds

You might have read the c|net article "Blog feeds may carry security risk" which summarizes the presentation given by Robert Auger and Caleb Sima of SPI Dynamics. The presentation points to potential dangers of malicious script embedded in feeds. This has sparked some discussion in the community.

We think it's good for the RSS community and users that the potential dangers of malicious script in feeds are pointed out and thereby can be addressed by application developers before any attacks materialize.

In IE7 and the Windows RSS Platform we've implemented several mitigations that specifically address potentially malicious scripts in feeds:

Sanitization
When downloading feeds, the RSS Platform passes the feed through a sanitization process which among other things removes script from HTML fields like the description element. Also, text fields, like the title element, are treated as text and not as HTML, so HTML tags are entity encoded. These steps are performed before the feed content is accessible by application including IE7's Feed View. Further, the feed content is persisted in the Feed Store in the sanitized form, so that applications accessing the feed data benefit from the sanitization.

Feed View in Restricted zone
The IE7 Feed View displays feeds in the Restricted security zone, no matter where the feed originated, even if for example the feed came from a site in the Trusted Sites zone. By default script is disabled in the Restricted zone. In addition, the Feed View disallows URL Actions including script and active content. 

We designed and implemented the RSS features using the principles of the Secure Development Lifecycle as embraced by Microsoft.  One of the principles is defense in depth. The idea being, even if script somehow were to sneak by the first layer of defense, the impact that the script could have is restricted, if not entirely negated.

Hosting IE in Applications
The second mitigation above can be of interest to application developers who are hosting MSHTML inside their applications. When using MSHTML to render feeds, we recommend that the host application implements a custom security manager, which allows the application to control which URL Actions are permissible. In order to reduce the attack surface of the application it is advisable to limit the permissible URL Actions to the smallest number possible.

I hope this will spark even more discussion about security and RSS which will ultimately benefit users.

- Walter vonKoch

[Update 8/16] Peter Plamondon of SPI Dynamics provided the link to the paper itself in the comments.

[Update 8/17] As noted by Sean Kerner in the comments, the presentation was given by Bob Auger solo. I've correct the intro above. Thanks.