Feed me the good stuff

I just resolved a “problem” with the feed for this site. Posts and comments use BBcode for markup, and that all gets rendered fine on my site. But the feed generator just dumped all of the BBcode as plain text. Besides the expected blah factor of dead links, no images, and no text effects, this also had the unexpected and potentially dangerous effect in some (okay, most) feed readers of interpreting any HTML embedded in the post as live code.

So, for instance, if one of my posts contained a javascript example enclosed in a “script” element, that might execute in your feed reader! Of course, I’m not that devious (at least I don’t think so…wait, what are the voices saying?) but I could certainly slip up and include something nefarious by accident — as I did here. In this post, I was exposing the practices of phishers. I included their e-mail as an image so it wouldn’t have the links, but I explored the code they used for their link to show how to identify the scam. In most feed readers, the image failed to render, but the evil link was live! Ouch!

So I plugged that hole. Now, the rendering of the “description” in the feed is identical to its rendering on my site. There has been some controversy over whether or not HTML elements should be allowed in the “description” element of an RSS feed. Unfortunately, that means that including markup in a post causes some issues with the RSS Feed Validator, but on the other hand previously the validator would have choked on embedded code in the text of the post. Whaddya gonna do? UPDATE: I found that the RSS Draft Specification says that HTML elements must be encoded as character data, so all I needed to do was call htmlentities() on the text prior to adding it to the feed. Tested it with Sage and FeedDemon, and it still renders the HTML elements as expected, and now it also passes the Feed Validator.