Why does flask have Atom feed but not an RSS feed? -- Thadeus
On 5/26/10 2:31 AM, Thadeus Burgess wrote:
> Why does flask have Atom feed but not an RSS feed?
Because RSS is a horrible and insecure format.
Regards,
Armin
Hi,
> Because RSS is a horrible and insecure format.
Could you explain us the "insecure" bit?
Valentin
Hi,
On 5/26/10 4:31 PM, Valentin Jacquemin wrote:
> Could you explain us the "insecure" bit?
It does not say if it contains HTML or text payload which causes XSS
problems if the detection is wrong (which it will be). Just don't use it.
Regards,
Armin
I understand the horrible part, the spec for RSS is very lenient. ie description is both a description of the post and the actual content of the post, it is up to the RSS reader to escape arbitrary html (ie: script tags and the like). Perhaps a more intellectual response would be to describe issues with it, instead of blatantly flaming it, even if the flames are accurate. -- Thadeus On Wed, May 26, 2010 at 10:20 AM, Armin Ronacher <armin.ronacher@active-4.com> wrote: > Hi, > > On 5/26/10 4:31 PM, Valentin Jacquemin wrote: >> Could you explain us the "insecure" bit? > It does not say if it contains HTML or text payload which causes XSS > problems if the detection is wrong (which it will be). Just don't use it. > > > Regards, > Armin >
Hi,
On 5/26/10 6:04 PM, Thadeus Burgess wrote:
> I understand the horrible part, the spec for RSS is very lenient.
To add something else here: why is it still (2010) interesting to use
RSS feeds? All software should support it, and the few pieces of
software out there that do not support it can still get a badly
conversion of Atom to some sort of RSS with feedburner or other services.
Regards,
Armin
Hi, On 5/26/10 6:04 PM, Thadeus Burgess wrote: > Perhaps a more intellectual response would be to describe issues with > it, instead of blatantly flaming it, even if the flames are accurate. There is nothing more to add. The concept of guessing HTML versus plain/text is flawed and there *is no way* to reliable guess what you are dealing with. RSS is a hugely flawed and insecure protocol *you must not use*. So stop right now. Regards, Armin
> RSS is a hugely flawed and insecure protocol I agree with you on that. I always knew atom was better, but didn't really look into the reasons why. After doing some research to answer the question of "why" RSS it insecure. I see why RSS is such a bad protocol. I learned something new, thanks =) So attempting to read between the lines, this is why you do not include it in werkzeug/flask. "Because RSS has so many issues with security, I do not condone the use of it for any website, therefore in an effort to keep other programmers from using it I do not include it as a library in flask/werkzeug." -- Thadeus On Wed, May 26, 2010 at 10:34 PM, Armin Ronacher <armin.ronacher@active-4.com> wrote: > Hi, > > On 5/26/10 6:04 PM, Thadeus Burgess wrote: >> Perhaps a more intellectual response would be to describe issues with >> it, instead of blatantly flaming it, even if the flames are accurate. > There is nothing more to add. The concept of guessing HTML versus > plain/text is flawed and there *is no way* to reliable guess what you > are dealing with. RSS is a hugely flawed and insecure protocol *you > must not use*. So stop right now. > > > Regards, > Armin >
HAH! Awesome. Kenneth Reitz http://kennethreitz.com/contact-me On May 26, 2010, at 10:16 AM, Armin Ronacher wrote: > On 5/26/10 2:31 AM, Thadeus Burgess wrote: >> Why does flask have Atom feed but not an RSS feed? > Because RSS is a horrible and insecure format. > > > Regards, > Armin
On 05/25/2010 08:31 PM, Thadeus Burgess wrote: > Why does flask have Atom feed but not an RSS feed? > > -- > Thadeus In a snarkier mood, I might say that it's because RSS is a stupid piece of junk and Atom's way better. (Which is true regardless.) But the fact of the matter is that Flask itself doesn't have RSS *or* Atom support. The Atom support is a Werkzeug contrib module, and Werkzeug is maintained separately from Flask (though they are by the same person). Whoever wrote werkzeug.contrib.atom didn't feel like writing an RSS module. The snippet explaining how to do Atom is just that - a snippet *demonstrating* how to create your own Atom feed. It's not part of Flask itself. There's nothing stopping you from finding your own way to do RSS and adding a snippet for that. -- Regards, LeafStorm (http://www.leafstorm.us/)
Sorry to hear you are in a snarky mood. I have already created an RSSFeed class and am pondering about placing it in a flaskext namespace on pypi. My question is more directed towards why one doesn't exist yet and should I release my code as a flask extension. I can provide both formats on my blog, to increase compatibility with broken software that only cares about RSS format. -- Thadeus On Tue, May 25, 2010 at 10:09 PM, LeafStorm <leafstormrush@gmail.com> wrote: > On 05/25/2010 08:31 PM, Thadeus Burgess wrote: >> Why does flask have Atom feed but not an RSS feed? >> >> -- >> Thadeus > > In a snarkier mood, I might say that it's because RSS is a stupid piece > of junk and Atom's way better. (Which is true regardless.) > > But the fact of the matter is that Flask itself doesn't have RSS *or* > Atom support. The Atom support is a Werkzeug contrib module, and > Werkzeug is maintained separately from Flask (though they are by the > same person). Whoever wrote werkzeug.contrib.atom didn't feel like > writing an RSS module. > > The snippet explaining how to do Atom is just that - a snippet > *demonstrating* how to create your own Atom feed. It's not part of Flask > itself. There's nothing stopping you from finding your own way to do RSS > and adding a snippet for that. > -- > Regards, > LeafStorm (http://www.leafstorm.us/) >
Flask is still a new project, and there are a lot of things for it that don't exist yet. Probably, the reason there isn't an RSS generator is because no one else has needed one. If you want to release your RSSFeed as a flaskext, by all means go ahead. Though, an interesting idea I had is a more general "feeds" extension that can generate both RSS and Atom. Since there is already an AtomFeed and you have written an RSSFeed, the only thing left is to provide a common interface that can generate both. Then, providing both feed formats for compatibility would be trivial. On 05/25/2010 11:16 PM, Thadeus Burgess wrote: > Sorry to hear you are in a snarky mood. > > I have already created an RSSFeed class and am pondering about placing > it in a flaskext namespace on pypi. My question is more directed > towards why one doesn't exist yet and should I release my code as a > flask extension. > > I can provide both formats on my blog, to increase compatibility with > broken software that only cares about RSS format. > > -- > Thadeus -- Regards, LeafStorm (http://www.leafstorm.us/)