public-mirrors/NewsBlur
1
0
Fork 0
mirror of https://github.com/samuelclay/NewsBlur.git synced 2025-08-05 16:58:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
NewsBlur/vendor/feedvalidator/demo/docs-xml/warning/SecurityRiskAttr.xml

94 lines
2.6 KiB
XML
Raw Blame History

<fvdoc>
<div xmlns='http://www.w3.org/1999/xhtml'>
<div id='message'>
<p><code>foo</code> should not contain <code>script</code> attribute</p>
</div>
<div id='explanation'>
<p>Some feed elements are allowed to contain HTML. However, some HTML attributes, like <code>onclick</code>, are potentially dangerous and could cause unwanted side effects in browser-based news aggregators. In a perfect world, these dangerous attributes would be stripped out on the client side, but it's not a perfect world, so you should make sure to strip them out yourself.</p>
<p>The list of dangerous attributes varies from browser to browser, and even
from browser version to browser version. As such the Feed Validator takes a
white-list approach, and only accepts the following attributes:</p>
<blockquote>
<code>abbr</code>,
<code>accept</code>,
<code>accept-charset</code>,
<code>accesskey</code>,
<code>action</code>,
<code>align</code>,
<code>alt</code>,
<code>axis</code>,
<code>border</code>,
<code>cellpadding</code>,
<code>cellspacing</code>,
<code>char</code>,
<code>charoff</code>,
<code>charset</code>,
<code>checked</code>,
<code>cite</code>,
<code>class</code>,
<code>clear</code>,
<code>cols</code>,
<code>colspan</code>,
<code>color</code>,
<code>compact</code>,
<code>coords</code>,
<code>datetime</code>,
<code>dir</code>,
<code>disabled</code>,
<code>enctype</code>,
<code>for</code>,
<code>frame</code>,
<code>headers</code>,
<code>height</code>,
<code>href</code>,
<code>hreflang</code>,
<code>hspace</code>,
<code>id</code>,
<code>ismap</code>,
<code>label</code>,
<code>lang</code>,
<code>longdesc</code>,
<code>maxlength</code>,
<code>media</code>,
<code>method</code>,
<code>multiple</code>,
<code>name</code>,
<code>nohref</code>,
<code>noshade</code>,
<code>nowrap</code>,
<code>prompt</code>,
<code>readonly</code>,
<code>rel</code>,
<code>rev</code>,
<code>rows</code>,
<code>rowspan</code>,
<code>rules</code>,
<code>scope</code>,
<code>selected</code>,
<code>shape</code>,
<code>size</code>,
<code>span</code>,
<code>src</code>,
<code>start</code>,
<code>summary</code>,
<code>tabindex</code>,
<code>target</code>,
<code>title</code>,
<code>type</code>,
<code>usemap</code>,
<code>valign</code>,
<code>value</code>,
<code>vspace</code>, and
<code>width</code>
</blockquote>
</div>
<div id='solution'>
<p>Consider removing the potentially unsafe HTML attribute.
At a minimum, ensure that your content will still display as intended
if this attribute is stripped by
<a href="http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely">security conscious clients</a>.</p>
</div>
</div>
</fvdoc>
Reference in a new issue View git blame Copy permalink