radwin.org -> Michael J. Radwin -> blog -> How to consume RSS safely Search
The Web Sucks | June 13, 2003 11:19 AM | Comments (1)

Excellent reading for web engineers: How to consume RSS safely.

Mark lists 10 HTML elements that must be stripped to safely display HTML from an RSS feed. He mentions stripping style attributes from RSS, but fails to mention an even more imporant set of attributes: the JavaScript event attributes.

Sure, you'll want to leave <img> tags in the RSS feed, but what about those nasty onmouseover="..." attributes?

Archives
Comments

onMouseOver is the least of your concerns; onLoad doesn't even require user action (see my comments on Mark's blog)

Posted by Joe Grossberg at June 14, 2003 07:29 AM
Copyright © 2007 Michael J. Radwin. Some rights reserved.