Website Development  
RSS
Threads [ Previous | Next ]
RSS Security Risk? (Moved: was: Security PHP and MYSQL)
Showing 5 results.
RSS Security Risk? (Moved: was: Security PHP and MYSQL)
7:12 PM EST 2/13/08
We hired a summer student to incorporate RSS feeds so that users could subscribe to new titles received for their specific programs and they would subscribe on our library home page. Our IT dept keeps putting off (since August 07) in setting it up so it can be used. "Security risk -- we're looking at it -- we need to have the code verified, blah blah blah" We don't know what the security risks are, have never been told. Could somone perhaps enlighten me on what the possible security risks may be and how to set things up so there is no security risk. I would like something (ammunition if that term fits) to present to our IT person who refuses to basically do nothing with this project so the library can get it up and running.

Message was edited by: timking -- added RSS Security Risk to title.
Re: RSS Security Risk? (Moved: was: Security PHP and MYSQL)
5:05 PM EST 2/7/08 as a reply to Duane Meyers.
Hi folks -- I moved this message from the Server section of Networking and Security. I think a number of people who contribute to this discussion area have implemented RSS feeds/features and may have some relevant tips for you.

Thanks!
-Tim
Re: RSS Security Risk? (Moved: was: Security PHP and MYSQL)
7:13 PM EST 2/13/08 as a reply to Duane Meyers.
I'm guessing the community has some best practices or war stories worth sharing that haven't been captured here so I've made this topic the [url http://www.webjunction.org/forums/thread.jspa?messageID=50135]Question of the Week.[/url]

If you have any tips, tricks or horror stories about convincing an IT department to move forward with RSS--or really any new technology--please post here.
Re: RSS Security Risk? (Moved: was: Security PHP and MYSQL)
10:21 AM EST 2/15/08 as a reply to Duane Meyers.
I'm a little confused... Will you all be *producing* the RSS feeds, or using RSS feeds from other sources (sources that you don't control)? If you are using RSS from other places then, yes, there is a security risk. You are essentially running code from an unknown source on your website - you need to make sure that whatever you are using to display the RSS feed on your site strips out any potentially dangerous code. Some RSS parsers come with security built-in. Others (I'm thinking of you, Magpie) give you the opportunity to roll your own security.
If you are producing the RSS feeds, though, I'm having a hard time coming up with a way that this can be a big security issue. I guess I'd need some more information on how the RSS is produced...
Re: RSS Security Risk? (Moved: was: Security PHP and MYSQL)
9:45 AM EST 2/18/08 as a reply to Robin Hastings.
Another issue with publishing external RSS feeds on your own site is performance. I've found that if the content-producing site is experiencing difficulties, it can hang or dramatically slow your site down. Magpie has some caching built in which helps, but I've gone to doing all RSS reading as separate jobs, so if there's a problem it doesn't slow my site down.