Today I decided to add an "RSS" functionality to my blog.
All was fine, until I noticed the URL of the RSS page. It appears that the entire RSS feed is constructed by the information in the URL. I discovered that by simply manipulating the URL, you can view an RSS feed of any page, or every category on a public wiki.
Why is this a problem?
I have set up a functionality on my blog where if I tag a page as "_private", the page is not displayed. This is done through a Live Template, and [[iftags]]. I learnt that by simply removing the "/tags/-_private" part from my RSS url, I could show an entire list of all blog entries — including my "_private" blog entries. They display perfectly for the whole world to see.
Yikes!! Thank goodness I haven't posted any private blog entries yet!
I only want one category on my entire site to be viewable via RSS. So what do I propose?
In the Site Manager panel, there should be an option for "RSS feeds".
On that panel, you should be able to click a checkbox that says "enable RSS on your site".
If the checkbox is enabled, they some options should appear saying "do you want RSS feeds to be only available for specific pages?"
Then you should be able to add URLs of the RSS feed you want to be functional.
So I would type in http://jameskanjo.wikidot.com/feed/pages/category/blog/tags/-_private/order/dateCreatedDesc/t/James+Kanjo%27s+Blog
And if anybody manipulated that URL, the Wikidot engine would detect this because the URL doesn't match any of the URLs specified in the list. Perhaps a page would come up and say "sorry, RSS is not available on this page".
Thoughts?
λ James Kanjo
Blog | Wikidot Expert | λ and Proud
Web Developer | HTML | CSS | JavaScript
(account deleted)
