Critical Temboz vulnerability, please update
TL:DR If you are using my Temboz feed reader, please update as soon as possible to version 4.0 or later.
This is because Temboz depends on
feedparser, Kurt McKee’s
(originally Mark Pilgrim’s) ultra-liberal feed parsing library for Python. One
of its responsibilities is to sanitize feed content to strip out potentially
dangerous HTML like
<script> tags. Unfortunately, I only just realized that
on Python 3, due to the absence of the
sgmllib module in Python 3 that used
to ship with Python 2, feedparser will silently fail and not sanitize the HTML
instead of failing safe, e.g. throwing a
NotImplementedError. Since this is
such a fundamentally flawed approach, I decided no longer to trust feedparser
withis responsibility and assign it to Mozilla’s
bleach instead. Furthermore, Temboz will
now perform a sanity check at startup and refuse to start if
are not being filtered.
I apologize for potentially exposing you to XSS attacks via malicious feeds. Unfortunately I have no way to reach out to all those who installed Temboz. If you are installing Temboz, I would recommend you subscribe to my RSS feed for it so you can get important announcements like this one in the future.