Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: rust-rss – library for serializing the RSS web content format (github.com/frewsxcv)
35 points by _optl on May 9, 2015 | hide | past | favorite | 13 comments



Nice! It's good to see libraries like these popping up, adding more value to the Rust ecosystem.

Coming from Ruby and Rails, I'm excited to dive into low-level programming with Rust. It is just so refreshing to have control over stuff that is totally abstracted away in Ruby, while being safe enough just to not shoot myself in the foot each time.


If you feel like it, when you do, please let me know how it goes. I'm really invested in trying to make that particular leap a success.


I will do, Steve! I follow you on Twitter so I'll ping you once I feel like I can write decent Rust code and have an acceptable level of low-level programming know-how.

Maybe I shall write a little blog post about it, so I can explain the major challenges a bit.


That'd be wondeful. I don't know how long you've written Ruby, but Jay Fields had a blog way back in the day that was just really basic stuff. I'd really like to see such a thing for Rust. So, I guess what I'm saying is, you can probably start something similar even before you feel like you can write 'decent' Rust code...

That's a lot of work, though, but I think someone is gonna do it at some point, I hope.


I dont know Rust, but I think this could be vulnerable to XXE attacks[1]. Back in the day I fixed all the Java RSS libraries so now I always look for it. It's not exactly an obvious problem.

Also you should add RSS 1.0 (RDF) and Atom support.

[1] https://www.owasp.org/index.php/XML_External_Entity_%28XXE%2...


Is the security issue related to specifically RSS or the XML parsers?

With regards to Atom: https://github.com/frewsxcv/rust-rss/issues/2

I did not think RSS 1.0 support was necessary since (AFAIK) RSS 2.0 is backwards compatible. Please correct me if this is wrong


XXE attacks are caused by configuration settings of the XML parser. Generally the default config is to allow external entities, and the calling code needs to override that config because the documents come from untrusted sources.

RSS 1.0 and 2.0 are completely incompatible. There is a whole boring politics story there..


A quick look shows that RustyXML doesn't have complete error-checking when building a tree, so it's possible to get this library to generate output that isn't well-formed XML (hi parse-errors!), which should be a worry if you're taking input from other sources (with arbitrary strings).


Author or rust-rss here. What kind of errors could occur when generating the output?


Consider a string containing U+0000 or U+FFFF; both will generate output that isn't well-formed XML.


I'll look into it. Thanks for pointing it out.


As far as I'm aware, this is just a current shortcoming of RustyXML — it should just be fixed there.


Wow, just now I needed something like this for my rust package!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: