Don't Follow the Script

When his weblog moved in March, Michael Fioritto put JavaScript in the first item of his RSS feed to redirect visitors to his new site.

The news aggregator AmphetaDesk read the script tag and executed the redirect, making it impossible for me to use the software until I unsubscribed from his feed, which probably wasn't the effect he was going for.

An aggregator that doesn't strip out script and other dangerous tags is a security exploit waiting to happen.


Let me wildly disagree. It doesn't matter what you do, somebody will always find an exploit. Javascript is generally safe. If the aggregator fails because of the javascript, then it's not a good aggregator. MHO. A great aggregator can display Javascript, w/out a worry.

Even if you leave off the possibility of JavaScript exploits, there's still a lot of undesirable things that can be done with scripting, such as the redirect I described. I couldn't use Amphetadesk unless I unsubscribed to his feed.

That happen because the javascript was probably redirecting the index.html to the new website. If you use the template AmphetaFrames ( instead of he default that won't happen. The only feed that gets redirected is the one that has the javascript, the others can still be red.

Add a Comment

All comments are moderated before publication. These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).