

Show HN: rust-rss – library for serializing the RSS web content format - frewsxcv
https://github.com/frewsxcv/rust-rss

======
iagooar
Nice! It's good to see libraries like these popping up, adding more value to
the Rust ecosystem.

Coming from Ruby and Rails, I'm excited to dive into low-level programming
with Rust. It is just so refreshing to have control over stuff that is totally
abstracted away in Ruby, while being safe enough just to not shoot myself in
the foot each time.

~~~
steveklabnik
If you feel like it, when you do, please let me know how it goes. I'm really
invested in trying to make that particular leap a success.

~~~
iagooar
I will do, Steve! I follow you on Twitter so I'll ping you once I feel like I
can write decent Rust code and have an acceptable level of low-level
programming know-how.

Maybe I shall write a little blog post about it, so I can explain the major
challenges a bit.

~~~
steveklabnik
That'd be wondeful. I don't know how long you've written Ruby, but Jay Fields
had a blog way back in the day that was just really basic stuff. I'd really
like to see such a thing for Rust. So, I guess what I'm saying is, you can
probably start something similar even before you feel like you can write
'decent' Rust code...

That's a lot of work, though, but I think someone is gonna do it at some
point, I hope.

------
nl
I dont know Rust, but I think this could be vulnerable to XXE attacks[1]. Back
in the day I fixed all the Java RSS libraries so now I always look for it.
It's not exactly an obvious problem.

Also you should add RSS 1.0 (RDF) and Atom support.

[1]
[https://www.owasp.org/index.php/XML_External_Entity_%28XXE%2...](https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing)

~~~
frewsxcv
Is the security issue related to specifically RSS or the XML parsers?

With regards to Atom: [https://github.com/frewsxcv/rust-
rss/issues/2](https://github.com/frewsxcv/rust-rss/issues/2)

I did not think RSS 1.0 support was necessary since (AFAIK) RSS 2.0 is
backwards compatible. Please correct me if this is wrong

~~~
nl
XXE attacks are caused by configuration settings of the XML parser. Generally
the default config is to allow external entities, and the calling code needs
to override that config because the documents come from untrusted sources.

RSS 1.0 and 2.0 are completely incompatible. There is a whole boring politics
story there..

------
gsnedders
A quick look shows that RustyXML doesn't have complete error-checking when
building a tree, so it's possible to get this library to generate output that
isn't well-formed XML (hi parse-errors!), which should be a worry if you're
taking input from other sources (with arbitrary strings).

~~~
frewsxcv
Author or rust-rss here. What kind of errors could occur when generating the
output?

~~~
gsnedders
Consider a string containing U+0000 or U+FFFF; both will generate output that
isn't well-formed XML.

~~~
frewsxcv
I'll look into it. Thanks for pointing it out.

~~~
gsnedders
As far as I'm aware, this is just a current shortcoming of RustyXML — it
should just be fixed there.

------
blaenk
Wow, just now I needed something like this for my rust package!

