Message
element
should not contain script
attribute
Explanation
Some feed elements are allowed to contain HTML. However, some HTML attributes, like onclick
, are potentially dangerous and could cause unwanted side effects in browser-based news aggregators. In a perfect world, these dangerous attributes would be stripped out on the client side, but it's not a perfect world, so you should make sure to strip them out yourself.
The list of dangerous attributes varies from browser to browser, and even from browser version to browser version. As such the RSS Validator takes a white-list approach, and only accepts the following attributes:
abbr
,accept
,accept-charset
,accesskey
,action
,align
,alt
,axis
,border
,cellpadding
,cellspacing
,char
,charoff
,charset
,checked
,cite
,class
,clear
,cols
,colspan
,color
,compact
,coords
,datetime
,dir
,disabled
,enctype
,for
,frame
,headers
,height
,href
,hreflang
,hspace
,id
,ismap
,label
,lang
,longdesc
,maxlength
,media
,method
,multiple
,name
,nohref
,noshade
,nowrap
,prompt
,readonly
,rel
,rev
,rows
,rowspan
,rules
,scope
,selected
,shape
,size
,span
,src
,srcset
,start
,summary
,tabindex
,target
,title
,type
,usemap
,valign
,value
,vspace
, andwidth
Solution
Consider removing the potentially unsafe HTML attribute. At a minimum, ensure that your content will still display as intended if this attribute is stripped by security conscious clients.
Not clear? Disagree?
You might be able to find help in one of these fine resources.