University of Cambridge >

Warnings About The Security Of Embedding Feeds In Your Site

Embedding a feed from into your site carries some risks. Please be sure that you understand them:

  • You must trust
  • You must have set the character encoding on pages that you serve

Even then, because the content of is mainly provided by users, you must trust that they have not found any exploits in our cross site scripting protection that would allow them to run arbitrary code on your pages. (This would be a violation of their terms of use, so we hope no-one will try to do it, and any such attempts would be sanctioned severely.)

In detail:

You must trust

Each time someone visits a page on your that contains an embedded feed a set of javascript code is loaded. This code could be used to alter any of the content on the page that your visitor sees, or to take a copy of any cookies you have stored on that user’s computer. We won’t do this of course. But you will have to trust us.

You must set the character encoding

Quoted from Jon Warbrick:

There is a separate issue for anyone using an embedded feed on a page that doesn’t establish its character encoding (which is foolish, but people do it) – under these circumstances Internet Explorer (up to and including IE7rc1) can be conned into interpreting the page in UTF -7. In UTF -7, the sequence + A D w A – is ‘<’ and won’t be caught by most escaping (see for more info).

Character encoding is set on your webserver. Consult its documentation for details.

An escaping problem

Markus Kuhn has pointed out that the javascript feed we provide does not provide sufficient escaping of:
  • unescaped single/double quote
  • unescaped backslash
  • line terminator (\u000A, \u000D, \u2028,\u2029)

This may cause problems. A fix is being worked on.

Questions and comments

If you have questions about these warnings, or if you spot other possible vulnerabilities, please contact us.

Thank you for Jon Warbrick of the Computing Service for identifying these problems, and separate problems involving vulnerabilities to cross site scripting attacks.


© 2006-2024, University of Cambridge. Contact Us | Help and Documentation | Privacy and Publicity