TL;DR
RSS feeds can sometimes contain malicious Javascript code that could harm your system or steal data. This guide shows you how to safely read RSS feeds by stripping out potentially dangerous elements before they’re processed.
How to Avoid Malicious Javascript in RSS Feeds
- Understand the Risk: RSS feeds are often used to distribute content, but they can also be exploited. Attackers might inject Javascript into feed items (titles, descriptions) to run harmful code on your computer or server when you open the feed.
- This is especially dangerous if you automatically process RSS feeds without checking their contents.
- Use a Dedicated RSS Reader with Sanitisation: The easiest and safest option is to use an RSS reader that actively sanitises feeds. Many modern readers do this automatically.
- Examples include Feedly, Inoreader, and NewsBlur. Check the documentation of your chosen reader to confirm it offers Javascript stripping or content filtering.
- If Building Your Own RSS Parser: If you’re writing your own script or application to read RSS feeds, you must implement sanitisation.
- HTML Parsing Library: Use a robust HTML parsing library in your programming language. Avoid using regular expressions for this task; they are unreliable and prone to errors when dealing with complex HTML structures.
- Example (Python with Beautiful Soup):
from bs4 import BeautifulSoup feed_item = "<p>Some text <script>alert('XSS')</script></p>" soup = BeautifulSoup(feed_item, 'html.parser') # Remove all script tags for script in soup.find_all('script'): script.extract() safe_html = str(soup) print(safe_html) - Content Security Policy (CSP): If you’re displaying the RSS feed content within a web page, implement a strong Content Security Policy to restrict the sources from which scripts can be loaded. This adds an extra layer of protection.
- Example CSP header:
Content-Security-Policy: default-src 'self'; script-src 'self'
- Example CSP header:
- Strip Unsafe Tags and Attributes: Remove potentially dangerous HTML tags (like <script>, <iframe>, <object>) and attributes (like
onload,onclick) from the feed content.- Example (PHP):
- Example (PHP):
- URL Sanitisation: Be cautious about links within RSS feed items. Attackers might use shortened URLs or redirect chains to hide malicious websites.
- Expand shortened URLs before displaying them.
- Check the reputation of linked domains using a service like VirusTotal or URLScan.io.
- Regular Updates: Keep your RSS reader, HTML parsing libraries, and other related software up to date with the latest security patches.