1240603 - Thunderbird unescapes content in RSS title

Status: RESOLVED FIXED

(MailNews Core :: Feed Reader, defect)

Description

[WD]

Attachment: Individual entry from Reddit RSS feed that has escaped <script>

When reading a RSS feed that appears to properly escape HTML, Thunderbird appears to be unescaping content in the process of translating it from the raw RSS XML to HTML.

For example, the reddit AskNetsec feed:
https://www.reddit.com/r/AskNetsec/.rss

has an entry called "Does reddit filter script like <script>alert(1)</script> from titles?".   When viewing the message source, the HTML content that makes up "<script>" etc. is unescaped.  Meaning that anyone with control of an entry in the RSS feed (e.g. a Reddit contributor) appears to have full control of the resulting HTML tags for the entry.

Comment 1

[WD]

Attachment: Resulting unescaped HTML for display in Thunderbird

Comment 2

[WD]

Now that I think about it, this might not be a Thunderbird issue at all.  It looks like Reddit is choosing to double-escape the message body part, but only single-escape the title part.   So perhaps this should be closed as invalid.

Comment 3

[David King]

The double escaping is part of the nature of RSS, but I think the problem here is that Thunderbird is treating

    <title>&lt;/title&gt;</title>

as identical to 

    <title></title></title>

which seems wrong

Comment 4

[WD]

I don't really know enough about RSS to know for sure, but what I gather at this point is:

RSS feeds need to have the ability to convey HTML content, including full control over HTML elements and all.   And since the information contained within the RSS feed needs to be escaped so that it doesn't break the XML structure, then Thunderbird needs to decode it and treat the resulting content as HTML.   Right?

See also:   http://www.intertwingly.net/wiki/pie/Rss20AndAtom10Compared#payload

Comment 5

[David King]

Right, I think there are two bugs. Because RSS does its crazy double-escaping thing, reddit should be double-escaping things that could be interpreted as HTML. But Thunderbird appears to also be treating the single-escaped HTML incorrectly.

Comment 6

[alta88]

Fortunately, reddit has since had the good sense to switch to Atom, where
<title>Does reddit filter script like &lt;script&gt;alert(1)&lt;/script&gt; from titles?</title>
will work just fine (with or without a type="text" attribute).

For the amateurish and poor specification called RSS, there are many hoops code must jump through, as comment 4 notes. The relevant one here is that <title> is not mandatory, and so <description> must be used in its place, which has a different presentation usage and thus encoding (see http://www.rssboard.org/rss-encoding-examples). The parser forgot to escape <title> in case it's not derived from <description>, as it unescapes before storage in the event there are html entities in title.

Comment 7

[alta88]

Attachment: feedTitle.patch

Comment 8

[Magnus Melin [:mkmelin]]

Comment on attachment 8794534 [details] [diff] [review]
feedTitle.patch

Review of attachment 8794534 [details] [diff] [review]:
-----------------------------------------------------------------

::: mailnews/extensions/newsblog/content/feed-parser.js
@@ +208,5 @@
> +      // Escape html entities in <title>, which are unescaped as textContent
> +      // values. If the title is used as content, it will remain escaped; if
> +      // it is used as the title, it will be unescaped upon store. Bug 1240603.
> +      // The <description> tag must follow escaping examples found in
> +      // http://www.rssboard.org/rss-encoding-examples, ie single escape angle

nit: i.e.

Comment 9

[alta88]

Attachment: feedTitle.patch

Comment 10

[aleth [:aleth]]

https://hg.mozilla.org/comm-central/rev/a09d48b7f11d31386be97fad16aee12809b93a96
Bug 1240603 - Thunderbird unescapes content in RSS title. r=mkmelin