Microformat injection

Ben Smith and I are attending Social Graph Foocamp this weekend – this is his post on the BBC development blog – which we’re setting free here on my blog.

While this isn’t a topic that anyone is talking about here, I was struck by a throw away comment by Brad Fitzpatrick about the possibility of Microformat Injection. Everyone knows about XSS and only the worst developers leave themselves exposed by allowing JavaScript through form submissions. However, allowing a subset of HTML through in requests, to then be published in, say, profile pages, is quite standard.

I’m not sure if it would ever be particularly dangerous but Microformat Injection could be used to insert ‘rel=”me”‘ tags to pages as <a> tags are quite regularly allowed through. Now I’m not very knowledgeable about Microformats (RDFa seems shinier) so I’ll leave it up to you to think up some interesting Microformat Injection exploits. Please comment if you think of any!

2 thoughts on “Microformat injection

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s