NewsBlur/vendor/feedvalidator/demo/docs/warning/SecurityRiskAttr.html

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>foo should not contain script attribute</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<link rel="icon" href="http://www.feedvalidator.org/favicon.ico" />
<link rel="shortcut icon" href="http://www.feedvalidator.org/favicon.ico" />
<style type="text/css" media="screen">@import "../../css/common.css";
@import "../../css/documentation.css";</style>
<script type="text/javascript"><!-- --></script>
<link rel="start" href="http://feedvalidator.org/docs/" title="Home" />
</head>
<body>
<div id="logo">
<h1><a href="../../"><span id="feed"><span id="f">F</span><span id="e1">E</span><span id="e2">E</span></span><span id="d">D</span> Validator</a></h1>
<p>Documentation</p>
<a class="skip" href="#startnavigation">Jump to navigation</a>
</div> <!--logo-->

<div id="main">
<h2>Message</h2>
<div class="docbody">
<p><code>foo</code> should not contain <code>script</code> attribute</p>
</div>
<h2>Explanation</h2>

<div class="docbody">
<p>Some feed elements are allowed to contain HTML.  However, some HTML attributes, like <code>onclick</code>, are potentially dangerous and could cause unwanted side effects in browser-based news aggregators.  In a perfect world, these dangerous attributes would be stripped out on the client side, but it's not a perfect world, so you should make sure to strip them out yourself.</p>

<p>The list of dangerous attributes varies from browser to browser, and even
from browser version to browser version.  As such the Feed Validator takes a
white-list approach, and only accepts the following attributes:</p>

<blockquote>
<code>abbr</code>,
<code>accept</code>,
<code>accept-charset</code>,
<code>accesskey</code>,
<code>action</code>,
<code>align</code>,
<code>alt</code>,
<code>axis</code>,
<code>border</code>,
<code>cellpadding</code>,
<code>cellspacing</code>,
<code>char</code>,
<code>charoff</code>,
<code>charset</code>,
<code>checked</code>,
<code>cite</code>,
<code>class</code>,
<code>clear</code>,
<code>cols</code>,
<code>colspan</code>,
<code>color</code>,
<code>compact</code>,
<code>coords</code>,
<code>datetime</code>,
<code>dir</code>,
<code>disabled</code>,
<code>enctype</code>,
<code>for</code>,
<code>frame</code>,
<code>headers</code>,
<code>height</code>,
<code>href</code>,
<code>hreflang</code>,
<code>hspace</code>,
<code>id</code>,
<code>ismap</code>,
<code>label</code>,
<code>lang</code>,
<code>longdesc</code>,
<code>maxlength</code>,
<code>media</code>,
<code>method</code>,
<code>multiple</code>,
<code>name</code>,
<code>nohref</code>,
<code>noshade</code>,
<code>nowrap</code>,
<code>prompt</code>,
<code>readonly</code>,
<code>rel</code>,
<code>rev</code>,
<code>rows</code>,
<code>rowspan</code>,
<code>rules</code>,
<code>scope</code>,
<code>selected</code>,
<code>shape</code>,
<code>size</code>,
<code>span</code>,
<code>src</code>,
<code>start</code>,
<code>summary</code>,
<code>tabindex</code>,
<code>target</code>,
<code>title</code>,
<code>type</code>,
<code>usemap</code>,
<code>valign</code>,
<code>value</code>,
<code>vspace</code>, and
<code>width</code>
</blockquote>
</div>
<h2>Solution</h2>
<div class="docbody">
<p>Consider removing the potentially unsafe HTML attribute.
At a minimum, ensure that your content will still display as intended
if this attribute is stripped by 
<a href="http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely">security conscious clients</a>.</p>
</div>
<h2>Not clear?  Disagree?</h2>
<div class="docbody">
<p>Let us know on the <a href="http://lists.sourceforge.net/lists/listinfo/feedvalidator-users">feedvalidator-users</a> discussion list!</p>
</div>

</div><!--main-->
<div class="centered">
<a name="startnavigation" id="startnavigation"></a>
<div class="navbarWrapper">
    <div class="navbarContent">
        <img class="borderTL" src="../../images/borderTL.gif" alt="" width="14" height="14" />
        <img class="borderTR" src="../../images/borderTR.gif" alt="" width="14" height="14" />

<p>
<a href="../../">Home</a> &middot;
<a href="../../about.html">About</a> &middot;
<a href="../../news/">News</a> &middot;
<a href="../../docs/">Docs</a> &middot;
<a href="../../terms.html">Terms</a>
</p>

        <div class="roundedCornerSpacer">&nbsp;</div>
    </div><!-- .content -->
    <div class="bottomCorners">
        <img class="borderBL" src="../../images/borderBL.gif" alt="" width="14" height="14" />
        <img class="borderBR" src="../../images/borderBR.gif" alt="" width="14" height="14" />
    </div><!-- .bottomCorners -->
</div><!-- .contentWrapper -->
</div><!-- .centered -->

<div class="centered">
<address>Copyright &copy; 2002-4 <a href="http://diveintomark.org/">Mark Pilgrim</a> and <a href="http://www.intertwingly.net/blog/">Sam Ruby</a></address>
</div>

</body>
</html>
Adding feedvalidator as a vendorized package, for some day. 2014-12-17 18:24:58 -08:00			`<?xml version="1.0" encoding="ISO-8859-1"?>`
			`<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">`
			`<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">`
			`<head>`
			`<title>foo should not contain script attribute</title>`
			`<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />`
			`<link rel="icon" href="http://www.feedvalidator.org/favicon.ico" />`
			`<link rel="shortcut icon" href="http://www.feedvalidator.org/favicon.ico" />`
			`<style type="text/css" media="screen">@import "../../css/common.css";`
			`@import "../../css/documentation.css";</style>`
			`<script type="text/javascript"><!-- --></script>`
			`<link rel="start" href="http://feedvalidator.org/docs/" title="Home" />`
			`</head>`
			`<body>`
			`<div id="logo">`
			`<h1><a href="../../"><span id="feed"><span id="f">F</span><span id="e1">E</span><span id="e2">E</span></span><span id="d">D</span> Validator</a></h1>`
			`<p>Documentation</p>`
			`<a class="skip" href="#startnavigation">Jump to navigation</a>`
			`</div> <!--logo-->`

			`<div id="main">`
			`<h2>Message</h2>`
			`<div class="docbody">`
			`<p><code>foo</code> should not contain <code>script</code> attribute</p>`
			`</div>`
			`<h2>Explanation</h2>`

			`<div class="docbody">`
			`<p>Some feed elements are allowed to contain HTML. However, some HTML attributes, like <code>onclick</code>, are potentially dangerous and could cause unwanted side effects in browser-based news aggregators. In a perfect world, these dangerous attributes would be stripped out on the client side, but it's not a perfect world, so you should make sure to strip them out yourself.</p>`

			`<p>The list of dangerous attributes varies from browser to browser, and even`
			`from browser version to browser version. As such the Feed Validator takes a`
			`white-list approach, and only accepts the following attributes:</p>`

			`<blockquote>`
			`<code>abbr</code>,`
			`<code>accept</code>,`
			`<code>accept-charset</code>,`
			`<code>accesskey</code>,`
			`<code>action</code>,`
			`<code>align</code>,`
			`<code>alt</code>,`
			`<code>axis</code>,`
			`<code>border</code>,`
			`<code>cellpadding</code>,`
			`<code>cellspacing</code>,`
			`<code>char</code>,`
			`<code>charoff</code>,`
			`<code>charset</code>,`
			`<code>checked</code>,`
			`<code>cite</code>,`
			`<code>class</code>,`
			`<code>clear</code>,`
			`<code>cols</code>,`
			`<code>colspan</code>,`
			`<code>color</code>,`
			`<code>compact</code>,`
			`<code>coords</code>,`
			`<code>datetime</code>,`
			`<code>dir</code>,`
			`<code>disabled</code>,`
			`<code>enctype</code>,`
			`<code>for</code>,`
			`<code>frame</code>,`
			`<code>headers</code>,`
			`<code>height</code>,`
			`<code>href</code>,`
			`<code>hreflang</code>,`
			`<code>hspace</code>,`
			`<code>id</code>,`
			`<code>ismap</code>,`
			`<code>label</code>,`
			`<code>lang</code>,`
			`<code>longdesc</code>,`
			`<code>maxlength</code>,`
			`<code>media</code>,`
			`<code>method</code>,`
			`<code>multiple</code>,`
			`<code>name</code>,`
			`<code>nohref</code>,`
			`<code>noshade</code>,`
			`<code>nowrap</code>,`
			`<code>prompt</code>,`
			`<code>readonly</code>,`
			`<code>rel</code>,`
			`<code>rev</code>,`
			`<code>rows</code>,`
			`<code>rowspan</code>,`
			`<code>rules</code>,`
			`<code>scope</code>,`
			`<code>selected</code>,`
			`<code>shape</code>,`
			`<code>size</code>,`
			`<code>span</code>,`
			`<code>src</code>,`
			`<code>start</code>,`
			`<code>summary</code>,`
			`<code>tabindex</code>,`
			`<code>target</code>,`
			`<code>title</code>,`
			`<code>type</code>,`
			`<code>usemap</code>,`
			`<code>valign</code>,`
			`<code>value</code>,`
			`<code>vspace</code>, and`
			`<code>width</code>`
			`</blockquote>`
			`</div>`
			`<h2>Solution</h2>`
			`<div class="docbody">`
			`<p>Consider removing the potentially unsafe HTML attribute.`
			`At a minimum, ensure that your content will still display as intended`
			`if this attribute is stripped by`
			`<a href="http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely">security conscious clients</a>.</p>`
			`</div>`
			`<h2>Not clear? Disagree?</h2>`
			`<div class="docbody">`
			`<p>Let us know on the <a href="http://lists.sourceforge.net/lists/listinfo/feedvalidator-users">feedvalidator-users</a> discussion list!</p>`
			`</div>`

			`</div><!--main-->`
			`<div class="centered">`
			`<a name="startnavigation" id="startnavigation"></a>`
			`<div class="navbarWrapper">`
			`<div class="navbarContent">`
			`<img class="borderTL" src="../../images/borderTL.gif" alt="" width="14" height="14" />`
			`<img class="borderTR" src="../../images/borderTR.gif" alt="" width="14" height="14" />`

			`<p>`
			`<a href="../../">Home</a> ·`
			`<a href="../../about.html">About</a> ·`
			`<a href="../../news/">News</a> ·`
			`<a href="../../docs/">Docs</a> ·`
			`<a href="../../terms.html">Terms</a>`
			`</p>`

			`<div class="roundedCornerSpacer"> </div>`
			`</div><!-- .content -->`
			`<div class="bottomCorners">`
			`<img class="borderBL" src="../../images/borderBL.gif" alt="" width="14" height="14" />`
			`<img class="borderBR" src="../../images/borderBR.gif" alt="" width="14" height="14" />`
			`</div><!-- .bottomCorners -->`
			`</div><!-- .contentWrapper -->`
			`</div><!-- .centered -->`

			`<div class="centered">`
			`<address>Copyright © 2002-4 <a href="http://diveintomark.org/">Mark Pilgrim</a> and <a href="http://www.intertwingly.net/blog/">Sam Ruby</a></address>`
			`</div>`

			`</body>`
			`</html>`