From 500d05f3c5ec3a3dffa7791f7447bc0d31d6f7e0 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Sun, 2 Nov 2025 00:28:35 +0100
Subject: Implement whitelist for SimplePie sanitizer (#7924)

* Implement whitelist for SimplePie sanitizer

ref: https://github.com/FreshRSS/FreshRSS/pull/7770#issuecomment-3140334326

https://github.com/FreshRSS/simplepie/pull/53
https://github.com/simplepie/simplepie/pull/947

* Remove `<plaintext>` from whitelist

* Improve order

* Remove some tags from whitelist

* Revert partially

* sync

* Display contents of `<noscript>` and `<noembed>`

* sync

* Allow use of `<track>`

* sync again

* Sync to SimplePie fork
https://github.com/FreshRSS/simplepie/pull/53

* Alphabetic order

* Reduce list of stripped attributes

* Temporarily strip some attributes

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
---
 docs/en/admins/10_ServerConfig.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/en/admins/10_ServerConfig.md')

diff --git a/docs/en/admins/10_ServerConfig.md b/docs/en/admins/10_ServerConfig.md
index 54f4f0fb4..c907221ea 100644
--- a/docs/en/admins/10_ServerConfig.md
+++ b/docs/en/admins/10_ServerConfig.md
@@ -116,9 +116,9 @@ server {
 ## Security
 
 Avoid overwriting the [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) header with directives such as `more_set_headers "Content-Security-Policy: ..."`
-This will likely make your FreshRSS instance vulnerable to event handler XSS attacks, since FreshRSS does not yet blacklist all event attributes.
 
-✅ Example of good CSP: `default-src 'self' frame-ancestors 'self'`
+✅ Example of good CSP: `default-src 'self'; frame-ancestors 'self'`
+
 ❌ Bad CSP: `upgrade-insecure-requests`
 
 Debug CSP header:
-- 
cgit v1.2.3