public-mirrors/NewsBlur
1
0
Fork 0
mirror of https://github.com/samuelclay/NewsBlur.git synced 2025-08-21 05:45:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
NewsBlur/vendor/feedvalidator/demo/docs/warning/DangerousStyleAttr.html

156 lines
5.5 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>style attribute contains potentially dangerous content</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<link rel="icon" href="http://www.feedvalidator.org/favicon.ico" />
<link rel="shortcut icon" href="http://www.feedvalidator.org/favicon.ico" />
<style type="text/css" media="screen">@import "../../css/common.css";
@import "../../css/documentation.css";</style>
<script type="text/javascript"><!-- --></script>
<link rel="start" href="http://feedvalidator.org/docs/" title="Home" />
</head>
<body>
<div id="logo">
<h1><a href="../../"><span id="feed"><span id="f">F</span><span id="e1">E</span><span id="e2">E</span></span><span id="d">D</span> Validator</a></h1>
<p>Documentation</p>
<a class="skip" href="#startnavigation">Jump to navigation</a>
</div> <!--logo-->
<div id="main">
<h2>Message</h2>
<div class="docbody">
<p><code>style</code> attribute contains potentially dangerous content</p>
</div>
<h2>Explanation</h2>
<div class="docbody">
<p>Style attributes are very problematic in feeds. One one hand, they can be used to convey important Unicode or accessibility information. Style attributes even at times have been used to convey semantic information. But on the other hand, they can be used as Trojan Horses and cause dangerous scripts to be executed.</p>
<p>The list of dangerous properties varies from browser to browser, and even
from browser version to browser version. As such the Feed Validator takes a
white-list approach, and only accepts the following CSS properties:</p>
<blockquote>
<code>azimuth</code>,
<code>background</code>,
<code>background-color</code>,
<code>border</code>,
<code>border-bottom</code>,
<code>border-bottom-color</code>,
<code>border-bottom-style</code>,
<code>border-bottom-width</code>,
<code>border-collapse</code>,
<code>border-color</code>,
<code>border-left</code>,
<code>border-left-color</code>,
<code>border-left-style</code>,
<code>border-left-width</code>,
<code>border-right</code>,
<code>border-right-color</code>,
<code>border-right-style</code>,
<code>border-right-width</code>,
<code>border-spacing</code>,
<code>border-style</code>,
<code>border-top</code>,
<code>border-top-color</code>,
<code>border-top-style</code>,
<code>border-top-width</code>,
<code>border-width</code>,
<code>clear</code>,
<code>color</code>,
<code>cursor</code>,
<code>direction</code>,
<code>display</code>,
<code>elevation</code>,
<code>float</code>,
<code>font</code>,
<code>font-family</code>,
<code>font-size</code>,
<code>font-style</code>,
<code>font-variant</code>,
<code>font-weight</code>,
<code>height</code>,
<code>letter-spacing</code>,
<code>line-height</code>,
<code>margin</code>,
<code>margin-bottom</code>,
<code>margin-left</code>,
<code>margin-right</code>,
<code>margin-top</code>,
<code>overflow</code>,
<code>padding</code>,
<code>padding-bottom</code>,
<code>padding-left</code>,
<code>padding-right</code>,
<code>padding-top</code>,
<code>pause</code>,
<code>pause-after</code>,
<code>pause-before</code>,
<code>pitch</code>,
<code>pitch-range</code>,
<code>richness</code>,
<code>speak</code>,
<code>speak-header</code>,
<code>speak-numeral</code>,
<code>speak-punctuation</code>,
<code>speech-rate</code>,
<code>stress</code>,
<code>text-align</code>,
<code>text-decoration</code>,
<code>text-indent</code>,
<code>unicode-bidi</code>,
<code>vertical-align</code>,
<code>voice-family</code>,
<code>volume</code>,
<code>white-space</code>, and
<code>width</code>
</blockquote>
<p>Additionally, the values of a number of these properties can be problematic
to verify as safe, so any references to URIs or difficult to parse
constructs should be avoided.</p>
</div>
<h2>Solution</h2>
<div class="docbody">
<p>Consider simplifying or completely removing the potentially unsafe
<code>style</code> attribute. At a minimum, ensure that your content will
still display as intended if this attribute is stripped by
<a href="http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely">security conscious clients</a>.</p>
</div>
<h2>Not clear? Disagree?</h2>
<div class="docbody">
<p>Let us know on the <a href="http://lists.sourceforge.net/lists/listinfo/feedvalidator-users">feedvalidator-users</a> discussion list!</p>
</div>
</div><!--main-->
<div class="centered">
<a name="startnavigation" id="startnavigation"></a>
<div class="navbarWrapper">
<div class="navbarContent">
<img class="borderTL" src="../../images/borderTL.gif" alt="" width="14" height="14" />
<img class="borderTR" src="../../images/borderTR.gif" alt="" width="14" height="14" />
<p>
<a href="../../">Home</a> &middot;
<a href="../../about.html">About</a> &middot;
<a href="../../news/">News</a> &middot;
<a href="../../docs/">Docs</a> &middot;
<a href="../../terms.html">Terms</a>
</p>
<div class="roundedCornerSpacer">&nbsp;</div>
</div><!-- .content -->
<div class="bottomCorners">
<img class="borderBL" src="../../images/borderBL.gif" alt="" width="14" height="14" />
<img class="borderBR" src="../../images/borderBR.gif" alt="" width="14" height="14" />
</div><!-- .bottomCorners -->
</div><!-- .contentWrapper -->
</div><!-- .centered -->
<div class="centered">
<address>Copyright &copy; 2002-4 <a href="http://diveintomark.org/">Mark Pilgrim</a> and <a href="http://www.intertwingly.net/blog/">Sam Ruby</a></address>
</div>
</body>
</html>
Reference in a new issue View git blame Copy permalink