0

I am reading in Rss / Atom feeds from external sites using the SyndicationFeed 

 XmlReader reader = XmlReader.Create(RssFeed);
 SyndicationFeed feed = SyndicationFeed.Load(reader);

what's the best way to avoid common security risks in reading in Rss and atom feeds

some stated here : http://www.cgisecurity.com/rss.html

While still allowing Html formatted text and video content to show on my site?

EDIT

Security risks :

Feeds could contain malicious mark up as follows 

<?xml version="1.0" encoding="ISO-8859-1"?> <rss version="2.0"> <channel> 
<title> <script>alert('Channel Title')</script> 
</title>  
<link>http://www.mycoolsite.com/ 
</link> 
<description> <script>alert('Channel Description')</script> </description> 
<language>en-us 
</language>  
<copyright>Mr Cool 2006</copyright> 
<pubDate>Thu, 22 Jun 2006 11:09:23 EDT</pubDate> <ttl>10</ttl> <image>  
<title> <script>alert('Channel Image Title')</script> 
</title>  
<link>http://www.mycoolsite.com/</link> 
<url>http://www.mycoolsite.com/logo.gif</url> 
<width>144</width>

When rendered the Javascript code will run and display the alert box. the content of this could be malicious,

Cross-Site Request Forgery

An attacker can utilize Cross-Site Request Forgery (CSRF or XSRF) attacks For example: 

<img 
src="http://www.mystocktradersite.com/transaction.asp?sell=google&buy=Microsoft&nums
hares=1000">

the users posting feed on the site will have to be logged in, but anyone can sign up for an account. I'd like to know the best way to allow legitimate users to have their Rss / atom feeds read and show images, but not to allow malicious content.

I currently looking at the microsoft antiXss library to help with this http://wpl.codeplex.com/

EDIT 2

I'm reading this into my controller in a mvc web application, and want to render the rss feed in a view.

Heres the full Action result 

public PartialViewResult Blog(int id, string blogId)
        {
             var project = _projectRepository.GetById(id);

             XmlReader reader = XmlReader.Create(project.RssFeed);
             SyndicationFeed feed = SyndicationFeed.Load(reader);

             //select out a collection of anonymous types from RSS feed
                 var blog = (from rss in feed.Items
                             where rss.Id == blogId
                             select new VmProjectBlog
                             {
                                 Id = rss.Id,
                                 Title = rss.Title.Text,
                                 PublishedDate = rss.PublishDate.DateTime,
                                 Description = rss.Summary.Text
                             }).FirstOrDefault();

                 return PartialView("_Blog", blog);

}

Here's the view 

<div id="summary">           
     <div class="full blog">                        
        <div class="article large">
            <div class="title">
                <h2>@Model.Title</h2>
            </div>
            <div class="post">
                @Html.Raw(Model.Description)                
           </div>                        
        </div>
        <a class="button-lrg-blue" href="@Model.Link"><span>Read full blog ...</span></a>
    </div>
</div>
Dan Lowe
  • 51,713
  • 20
  • 123
  • 112
Axe
  • 764
  • 6
  • 29
  • You don't mention what "this" security risk is. Don't expect people to go to another site and figure out what you're really asking... – Peter Ritchie May 15 '12 at 17:02

1 Answers1

0

SyndicationFeed does nothing directly with the content like execute javascript or display the markup (which would include getting images, e.g. cross-site request); so, there's nothing you need to do to with SyndicationFeed to avoid those security risks.

You'd have to provide more detail about how you plan on displaying markup before anyone could offer detailed advice. e.g. is it a WPF app, A WinForms app, a web site, etc...

Peter Ritchie
  • 35,463
  • 9
  • 80
  • 98