I’ve just noticed that people can get XSS to run inside newblur.
The contents of the Spam Comment on a blog post was:
"\> ![](x)
This caused a popup soon as I loaded the folder with that post in it. The Blog post comment has been deleted by the owner, but I’ve grabbed a capture of the post and the popup.
The Popup
The Post
2 Likes
I’m going to escalate this to the feedparser.py library that NewsBlur uses. Can you share the newsblur.com url when you read the feed on the web? I want to see if it can happen again.
I just upgraded feedparser to the latest version and it is supposed to protect from this vulnerability. In fact, it does. I haven’t seen this style of XSS, so it might just take a bit to get it fixed.