XSS Allowed from some posts

I’ve just noticed that people can get XSS to run inside newblur.

The contents of the Spam Comment on a blog post was:

"\> ![](x)

This caused a popup soon as I loaded the folder with that post in it. The Blog post comment has been deleted by the owner, but I’ve grabbed a capture of the post and the popup.

The Popup

The Post



I’m going to escalate this to the feedparser.py library that NewsBlur uses. Can you share the newsblur.com url when you read the feed on the web? I want to see if it can happen again.

I just upgraded feedparser to the latest version and it is supposed to protect from this vulnerability. In fact, it does. I haven’t seen this style of XSS, so it might just take a bit to get it fixed.

Still happens when scrolling down the older posts of this feed: https://newsblur.com/site/5546934/microsoft-application-lifecycle-management-all-comments