I have a WordPress plugin that reads an RSS feed and outputs it to the browser in an admin page. In the plugin, it uses the standard feed.php template from WordPress (wp-includes/feed.php), which uses SimplePie to fetch the feed through WordPress.
The page loops through the feed items and uses $item->get_title() and $item->get_content() to output the item title and content via a direct echo to the page.
I have had a user contact me to tell me that they had a security audit done on their site and it failed because we used the $item->get_content() and are not escaping it before output to the browser and that this is an XSS vulnerability because HTML is being read from a vendor's website and needs to be escaped.
Is this correct?
In all the documentation for using the get_content() function, they show echoing out the $item->get_content() results.
Can someone shed light on this so I can best address this either with the security audit team and/or user - or update the plugin correctly if it needs to be escaped.
Thanks! Don
The audit is wrong. SimlePie does escape the content internally. If you look into the SimplePie class source you will see this property that define the tags that will be stripped:
public $strip_htmltags = array('base', 'blink', 'body', 'doctype', 'embed', 'font', 'form', 'frame', 'frameset', 'html', 'iframe', 'input', 'marquee', 'meta', 'noscript', 'object', 'param', 'script', 'style');
So <script> tags are stripped out - so no XSS attack can be done.
This is the default behaviour of SimplePie, so except if you intentionally tell it to run in fast mode by calling: $feed->set_stupidly_fast(true) (as you see the function name speak for itself :) ) or by calling $feed->strip_htmltags(true) ; it will run in safe mode.
From the SimplePie documentation:
SimplePie protects against malicious feeds by sanitizing the data.