15

I've looked around, and it doesn't seem like there's any standard of what HTML tags are 'allowed' in RSS - you could put anything in. But the readers I tested only allow certain things.

In my initial testing, it seems like simple styling tags like <b> are fine. So is inline styles like <span style="color:red"> <img>'s seems to work.
But <iframe>'s are ignored, as are <script> blocks.
Onclick attributes don't work.
<style> blocks work in some readers but not others

Is there a general consensus, standard, or comparability site listing what is and isn't supported in what readers?
I want to know what the subset of HTML tags I can use in feeds is.

Improve this question
4
  • Do you just put in the tags as they are, or is there some special markup for them? Cuz I figured HTML tags would be misinterpreted by XML readers as separate items. Commented Mar 3, 2016 at 21:44
  • Adding a bounty to this question to get it some fresh eyes. Commented yesterday
  • 1
    @artlung what is wrong with the existing answers here? The answer is, it depends on the client. Given that RSS is (to be charitable) far less prominent than it was when this question was asked, I can't imagine what you expect to have changed in the intervening 15 years. Commented 19 hours ago
  • @miken32 feel free to leave that as an answer if you feel that is an adequate answer. Commented 16 hours ago

6 Answers 6

Reset to default
11 
<title>How to parse full html content in xml feeds</title>
<description><![CDATA[<html><body>Any code html is valid here like &npsb; 
 and what ever you want to transfer</body></html>]]></description>
<guid>http://example.com/your-news-id</guid>
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Whilst all HTML tags are supported by the spec, the feed readers only support a limited range of tags.
2

I don't think there's a standard here - it's all about what the RSS reader itself is willing to implement. So my guess would be that, for example, Google Reader would wash out tags and the like and dangerous HTML and CSS attributes, and then allow whatever other sort of non-blacklisted tag you would dare to include.

So, yeah. There's no specification, and therefore likely no standard - just the same general XSS prevention techniques we see across the whole interwebs. Your only option is to try out various tags that you think may be contentious (though really I'd expect almost anything but CSS styling would be permitted) in different RSS readers to see what happens, or simply to have your content ready to fall back to a more basic format if the desired HTML/CSS is not permitted.

What in particular are you trying to do? You may be able to get better answers if you can specify - or is this just a question of curiosity?

Improve this answer

2 Comments

Mostly curiosity. I'd love to let users do things like vote up and down articles using javascript and ajax from within a RSS Reader, but I guess the best I'll be able to do is external links with unique tokens.
Mhm. If my RSS Reader allowed Javascript, well, I'd just be mad. It's tough being both a developer and a user xD
1

I think the 'right' thing to do is either include an xhtml namespace (xmlns:html="http://www.w3.org/1999/xhtml") or put the HTML data in a CDATA section.

Improve this answer

Comments

1

Supported meta tags (many can have attributes if proper):

<!-- RSS comment -->
<copyright>
<channel>
<title>
<description>
<category>
<image>
<link>
<comments>
<language>
<item>
<guid>
<source>
<author>
<enclosure>
<pubDate>
<lastBuildDate>
<managingEditor>
<webMaster>
<generator>
<docs>
<cloud>
<ttl>
<rating>
<textInput>
<name>
<skipHours>
<skipDays>

Supported body tags:

<p>, <span>, <strong>, <b>, <i>, <em>, <br>

Supported body tags with attributes:

<a href="URL">
<img src="URL" alt="description">

Supported body tags by some readers (you will need to test it):

<picture>, <figure>, <div>, <h1>, <h2>, <h3>, <h4>, <h5>, <h6>, <span style="color:red">

Not supported:

<iframe>, <script>, <style>

IMPORTANT:

  • Use plain text within all tags to avoid issues
  • All elements must have a closing tag
  • Elements are case sensitive
  • Elements must be properly nested
  • Attribute values must always be quoted
  • There is no official standard for RSS
  • It is not possible to cover whole topic here
  • Use resources to keep valid and up-to-date

https://www.w3schools.com/xml/xml_rss.asp

https://www.rssboard.org/rss-specification

https://www.rssboard.org/rss-validator/

SANITIZING / TESTING: it does not seem there are any public test suites. Yet, it's worth seeing following:

https://digialert.com/index.php/resources/blog/blog/vulnerability-assessment-and-pentesting/rss-feed-injection

https://github.com/bigapplemonkey/Feed-Reader-Testing (jasmine-based test suite for a web-based application that reads RSS feeds; seems abandoned, but can be a ramp to start)

https://github.com/FreshRSS/FreshRSS/issues/3497 (thread on FreshRSS feed filtering functionality)

Improve this answer

5 Comments

[citation needed]
Thanks so much for attempting an answer! Lots of good stuff on this. I suggest looking at some open source RSS Readers to quantify what they do to sanitize HTML. I know I've seen <picture> and <figure> elements come through with their associated captions correctly in a few readers. I wonder if there's a test suite to check for the sanitization process.
Always welcome. As to testing suites - unfortunately, not aware of. Yet, see the post update, maybe it will help you somehow. And as to <picture>, <figure>, - yeah surely some readers can easily be set up to support non-standard tags.
developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/… and developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/… are both standard parts of the web platform, both well supported across current browsers.
yeah sure, yet i meant those are non-standard for rss readers, will include them to partially supported
0

I don't think there's any "official" answer. It might depend on what level of compatibility you're aiming for.

I'd keep it to the basic text formatting tags (STRONG, EM, etc) and IMG and A and that's about it.

Improve this answer

Comments

-2

In fact, no HTML attributes are allowed in RSS feeds. Only XML tags listed in the specification posted above are allowed. Also, since it is XML, only some Unicode encodings are allowed (e.g. UTF-8). That many RSS providers do not respect the standard is another matter.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.