10 Oct

the old bugs are the best

I just demonstrated that Planet software is susceptible to poisoning by broken HTML.

I noticed the problem while reading bigbro’s blog – he had left an <i> element open, which was not caught by the Planet ILUG engine. As a result, all the following posts were in italic.

The Planet ILUG engine is based on Planet Planet, which uses Mark Pilgrim’s feed parser. The source-code of the feed parser claims to sanitise its posts, but I proved that wrong by leaving the following lines of HTML at the end of a test post which was then syndicated out to Planet ILUG:

<font color="#ffffff"><sub>

I remember coming across this bug a long time back – late 80s/early 90s, when the net was just taking off – at the time, HTML chatrooms were very popular. As a result, there were quite a few chatrooms out there that could be poisoned in a very similar way.

The only sanitising done by the feed parser seems to be to ensure that only a set list of allowed elements are let through in the code, and that other elements are removed. The parser does not appear to make sure that the let-through elements are properly closed!

On the HTML-poisoning note: I remember a long time back, when I was working for a Dublin CORBA consultancy company, they built the first ever forum powered by EJB, as a proof-of-something. They were showing off the bright and shiny new application, really proud of it. As a test, I stuck a simple line of code into a post to the forum:

<script type="text/javascript">document.location="http://contactjuggling.org";</script>

The look on the developers’ faces was priceless.

I wonder, how many other Planet engines are susceptible to this old bug?