446495 - Even escaped HTML code is rendered partly in the feed preview.

Status: VERIFIED INCOMPLETE

(Firefox Graveyard :: RSS Discovery and Preview, defect)

Description

[Max Vogler]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

HTML is parsed partly( <img> is parsed, <script> not ) even if it's escaped. This is extremely dangerous for websites that allow RSS feeds for user generated content. A evil user who submits an image like <img src="http://evil.org/track_ip.php"> is able to find out the IP of everyone that previews the feed.

Reproducible: Always

Steps to Reproduce:
1. find a feed which contains escaped html and preview it in firefox
Actual Results:  
Images and other escaped(!) HTML is rendered, scripts not

Expected Results:  
No escaped HTML should be rendered.

<![CDATA[<b>this text should be bold</b>]]>
<![CDATA[&lt;b&gt; this text shouldn't be..

Comment 1

[Phil Ringnalda (:philor)]

Attachment: WFM testcase

This testcase, with <![CDATA[&lt;b&gt;..., works for me - the preview displays <b>Am I bold?</b> in trunk and 3.0.2. Can you attach a testcase feed that demonstrates what you are seeing?

Comment 2

[Phil Ringnalda (:philor)]

Attachment: Also WFM testcase

Title and description, channel and item, none of it being double-unescaped and rendered.

Max, we really need an attached testcase that shows what you're seeing, to be able to do anything here.

Comment 3

[Daniel Veditz [:dveditz]]

After a month probably not going to get any more information

Comment 4

[Tanner M. Young [:tmyoung]]

Verifying incomplete.  If it can be reproduced in Firefox 3.5 or 3.6 and more information is provided, we will reopen.