User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:22.214.171.124) Gecko/2008070208 Firefox/3.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:126.96.36.199) Gecko/2008070208 Firefox/3.0.1 HTML is parsed partly( <img> is parsed, <script> not ) even if it's escaped. This is extremely dangerous for websites that allow RSS feeds for user generated content. A evil user who submits an image like <img src="http://evil.org/track_ip.php"> is able to find out the IP of everyone that previews the feed. Reproducible: Always Steps to Reproduce: 1. find a feed which contains escaped html and preview it in firefox Actual Results: Images and other escaped(!) HTML is rendered, scripts not Expected Results: No escaped HTML should be rendered. <![CDATA[<b>this text should be bold</b>]]> <![CDATA[<b> this text shouldn't be..
Created attachment 340466 [details] WFM testcase This testcase, with <![CDATA[<b>..., works for me - the preview displays <b>Am I bold?</b> in trunk and 3.0.2. Can you attach a testcase feed that demonstrates what you are seeing?
Created attachment 343761 [details] Also WFM testcase Title and description, channel and item, none of it being double-unescaped and rendered. Max, we really need an attached testcase that shows what you're seeing, to be able to do anything here.
After a month probably not going to get any more information
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INCOMPLETE
Verifying incomplete. If it can be reproduced in Firefox 3.5 or 3.6 and more information is provided, we will reopen.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.