3789RSS 2.0: Restriction on Whitespace in |

  • Morbus Iff
    Sep 15, 2002
      From the RSS 2.0 spec (and originally "from the Netscape 0.91 spec"):

      RSS places restrictions on the first non-whitespace characters of the data in
      <link> and <url> elements. The data in these elements must begin with http://
      or ftp://. Among others, https:, file:, mailto:, news:, and javascript: are
      not permitted.

      I'd like to suggest one of two possibilities. One, that only these are allowed:

      http:// https:// ftp:// news:// mailto:

      Or two, that all protocols are allowed. The first suggestion branches out
      into more common protocols: https:// (for e-commerce), news:// (not as
      important, but still used to point to specific groups), ftp:// (obvious),
      and mailto: to point to an email address (thus spawning the user's email
      program), as opposed to the <author>, which is just plain text (and
      contains no application-spawning abilities, since including full names
      confuses the issue).

      The second proposal says "ok, well, we shouldn't make that decision for the
      end-user", but does weaken security: with javascript:// and file://
      allowed, we're potentially giving the producer too much control over the
      user's machine.

      It's not enough to say "ok, you could use *all* protocols except for
      file:// and javascript://", because that inspires a false sense of security
      - if we say "these protocols can be used for malicious purposes", that's
      suggesting other protocols (currently unknown to us) have been "approved"
      for the user's safety.

      Myself, I prefer the first option - allowing the five protocols. The
      downside, however, is that five years from now, when some other protocol is
      popular, the RSS 2.0 spec won't scale for it (without the use of


