Input coming from RSS feeds should be sanitized for security purposes.

I am somewhat new to Drupal so I'm not clear/positive if this is already handled automatically somewhere - or if this is being handled somewhere in Feeds that I am not aware of. But if it's not, this could pose a security risk.

Comments

alex_b’s picture

alex_b commented

What specifically should be sanitized? What sort of security vulnerabilities do you have in mind?

Generally, in Drupal most of the sanitation happens on output. If a user has the power to submit content to Drupal, he or she can submit anything as long as it constitutes a valid form submission. The input is stored as-is in the database (and of course, it won't be executed with eval() or similar!). When the content is presented to a viewer it is filtered and cleaned up. The result of these filter-on-output processes is cached in the database for quicker turnaround for subsequent users.

Feeds pretty much relies on this process. It assumes whatever you are going to aggregate, you are not going to present it to a viewer without filtering.

Is there an inherent problem with this assumption?

awjrichards’s picture

awjrichards commented

No - that makes total sense. I guess I am more worried about SQL injection - but the more I think about it, I presume this gets taken care of by the node module or CCK. Is that correct?

alex_b’s picture

alex_b commented

SQL injection should be caught on the DB API level: see e. g. db_query().

twistor’s picture

twistor commented
Status: Active » Closed (fixed)

Cleaning up old issues.