I shall give my usual plea (for the OP and feed authors alike): except for podcasts, please deal in Atom rather than RSS if you have a choice. Let RSS die. Outside of podcasting software, everything supports both, and Atom is the technically superior format, including resolving various unspecified behaviour that does lead to inconsistency across clients, such as with respect to HTML markup in titles (which RSS has no answer for, so that one way or the other all clients will mangle some titles that contain <) and in content (where the main but far from ubiquitously used RSS answer is to leave a blank <description> or <summary> or whatever it is, and use the <encoded> element from the http://purl.org/rss/1.0/modules/content/ namespace).
For this project, that would mean emitting Atom rather than RSS. And possibly the autodiscovery needs tweaking too, as I observe it not finding the feed on my site https://chrismorgan.info/, which is properly specified; my first guess is that it’s not coping with the type=application/atom+xml attribute.
In related news, MergeFeed is currently vulnerable to injection attacks because it mishandles Atom titles that are specified as text. If you specify a title as HTML or XHTML, it filters out a <script> element properly (good! and while retaining inline formatting too!), but if you specify a title as text, it doesn’t escape the HTML (which is what it should do) or filter it (which would have been wrong but would at least have closed the security vulnerability). Proof of concept: https://mergefeed.net/-?urls=https://temp.chrismorgan.info/x...
> And possibly the autodiscovery needs tweaking too, as I observe it not finding the feed on my site https://chrismorgan.info/, which is properly specified; my first guess is that it’s not coping with the type=application/atom+xml attribute.
> In related news, MergeFeed is currently vulnerable to injection attacks because it mishandles Atom titles that are specified as text. If you specify a title as HTML or XHTML, it filters out a <script> element properly (good! and while retaining inline formatting too!), but if you specify a title as text, it doesn’t escape the HTML (which is what it should do) or filter it (which would have been wrong but would at least have closed the security vulnerability). Proof of concept: https://mergefeed.net/-?urls=https://temp.chrismorgan.info/x...
I fixed that too. But for now I wasn't able to fix it without also removing formatting. I might be able to figure out how to keep formatting without allowing XSS attacks later, but I'm not sure that's even a good idea. It's kind of a link aggregator and link aggregators generally don't allow formatting. You don't want people to try to gain attention that way, leading to an arms race.
> …Atom is the technically superior format, including resolving various unspecified behaviour that does lead to inconsistency across clients, such as with respect to HTML markup in titles (which RSS has no answer for…
The answer seems unambiguous in the RSS spec, which is that <title> is plain text (not HTML). The reason I know it's not unspecified is that entity-encoded HTML is documented as supported in other elements (e.g. <item><description>).
Your evangelism for Atom is interesting because, of the hundreds of feeds in my newsreader, I don't believe any are Atom. So my impression was that Atom was "at least as dead as RSS" for user-facing applications, which makes me curious what the popular use cases are for it these days.
- If you want to stay up to date on a topic, make a multifeed for it. Just google "topic blogs", click on a result that looks good and paste it into mergefeed.
- If you come across a blogroll (or any list of blogs) you're interested in, you can turn it into a multifeed.
- If you have a bookmarks folder with blogs or podcasts, you can paste it into mergefeed to turn it into a multifeed.
I feel compelled to mention FraidyCat[0], which is offered as a desktop app. It groups posts by feed/individual, with a mini activity bar next to each. It also groups feeds by the specified intensity of your follow (real-time to occasional).
[+] [-] ms123|4 years ago|reply
[+] [-] teitoklien|4 years ago|reply
Thnx for the link
[+] [-] chrismorgan|4 years ago|reply
For this project, that would mean emitting Atom rather than RSS. And possibly the autodiscovery needs tweaking too, as I observe it not finding the feed on my site https://chrismorgan.info/, which is properly specified; my first guess is that it’s not coping with the type=application/atom+xml attribute.
In related news, MergeFeed is currently vulnerable to injection attacks because it mishandles Atom titles that are specified as text. If you specify a title as HTML or XHTML, it filters out a <script> element properly (good! and while retaining inline formatting too!), but if you specify a title as text, it doesn’t escape the HTML (which is what it should do) or filter it (which would have been wrong but would at least have closed the security vulnerability). Proof of concept: https://mergefeed.net/-?urls=https://temp.chrismorgan.info/x...
[+] [-] amadeuspagel|4 years ago|reply
I fixed that: https://mergefeed.net/Untitled?urls=https://chrismorgan.info...
> In related news, MergeFeed is currently vulnerable to injection attacks because it mishandles Atom titles that are specified as text. If you specify a title as HTML or XHTML, it filters out a <script> element properly (good! and while retaining inline formatting too!), but if you specify a title as text, it doesn’t escape the HTML (which is what it should do) or filter it (which would have been wrong but would at least have closed the security vulnerability). Proof of concept: https://mergefeed.net/-?urls=https://temp.chrismorgan.info/x...
I fixed that too. But for now I wasn't able to fix it without also removing formatting. I might be able to figure out how to keep formatting without allowing XSS attacks later, but I'm not sure that's even a good idea. It's kind of a link aggregator and link aggregators generally don't allow formatting. You don't want people to try to gain attention that way, leading to an arms race.
[+] [-] CharlesW|4 years ago|reply
The answer seems unambiguous in the RSS spec, which is that <title> is plain text (not HTML). The reason I know it's not unspecified is that entity-encoded HTML is documented as supported in other elements (e.g. <item><description>).
Your evangelism for Atom is interesting because, of the hundreds of feeds in my newsreader, I don't believe any are Atom. So my impression was that Atom was "at least as dead as RSS" for user-facing applications, which makes me curious what the popular use cases are for it these days.
[+] [-] Wronnay|4 years ago|reply
[+] [-] cristoperb|4 years ago|reply
https://github.com/cristoper/feedmixer
[+] [-] monkeydust|4 years ago|reply
I get asked fairly frequently at work what blogs / newsletters / sites I read to keep on topic X.
Could I use this to create a feed for topic X sourced from what I read and then share the merged feed with others ?
[+] [-] amadeuspagel|4 years ago|reply
[+] [-] spookybones|4 years ago|reply
[+] [-] amadeuspagel|4 years ago|reply
[+] [-] BrianOnHN|4 years ago|reply
https://mergefeed.net/WFH?urls=https://wfhjobs.us/
[+] [-] amadeuspagel|4 years ago|reply
[+] [-] imwillofficial|4 years ago|reply
[+] [-] beardyw|4 years ago|reply
[+] [-] amadeuspagel|4 years ago|reply
- If you come across a blogroll (or any list of blogs) you're interested in, you can turn it into a multifeed.
- If you have a bookmarks folder with blogs or podcasts, you can paste it into mergefeed to turn it into a multifeed.
[+] [-] amadeuspagel|4 years ago|reply
- Cyber Security: https://mergefeed.net/Cyber_Security_Blogs?urls=http://krebs...
- Economics: https://mergefeed.net/Economics_Blogs?urls=http://econbrowse...
[+] [-] mkl|4 years ago|reply
How is such a busy overwhelming feed useful?
[+] [-] strogonoff|4 years ago|reply
[0] https://fraidyc.at
[+] [-] amadeuspagel|4 years ago|reply
- Marginal Revolution: https://mergefeed.net/Marginal_Revolution_Blogroll?urls=http...
- Crooked Timber: https://mergefeed.net/Crooked_Timber_Blogroll?urls=http://11...
- Naked Capitalism: https://mergefeed.net/Naked_Capitalism_Blogroll?urls=http://...
[+] [-] owlrobot|4 years ago|reply
[deleted]
[+] [-] girriPal|4 years ago|reply
[deleted]