It’s just data

Auto-inlining SVG

Jeff Schiller: Wouldn’t it also be possible for Sam to do this object->inline conversion on the planet side?  Requiring everyone producing feeds to do this seems like more work than to do it in one central location.

Such code would need to handle gzipped/deflated content, and should play nicely with caches.  For a number of reasons, that means that such functionality would be easier to add to Mars than to Venus.  In fact, it is easy enough to do so that I went ahead and did it.  Those that care to, can take a look at the output.

As with most things, however, things aren’t as easy as they might seem.  With your, feed, for example, there is no indication of what the dimensions of the object are to be.  This information is only present in your css, which is only linked from your html page.

To be able to support Erik's usage, I will need to autogenerate a wrapper span element to house the style attribute.


Good point about the CSS.  What’s the right way to link CSS within an Atom file?  Would I use <?xml-stylesheet ?> for a subset of my styling to provide for the shape, position, layout of the <object> elements?  What would happen if I also wanted to choose a font family and size for my XHTML content?  Would Venus override/ignore that?

I think I need to take a step back and think about what we’re doing here.  So we’re embedding some textual content inside Atom XML - that (X)HTML content is aggregated at one or more websites.  That HTML content is styled either inline (with style attributes or <style> elements) or by the aggregating site.  As long as HTML is just the “content” then this seems sane - I would frown on any inline styling in this case.

Now introduce images into the syndicated content and what’s the “right” thing to do?  I don’t think the aggregating software would want to deal with all the myriad stylings across multiple feeds.  Aggregation of feeds should look consistent, shouldn’t they?

P.S. Not sure if the typo in my name is a result of the email I sent you this morning - I had a chuckle anyway...

Posted by Jeff Schiller at

typo fixed, both in the post and on the planet.  sorry about that.

The more work you expect the consumer to do, the less likely you will see it done.  I know of no consumer which will handle external CSS.  Heck, few support inline style attributes.

At the present time, Venus supports inline SVG and inline CSS.  Mars supports inline and external SVG and inline CSS.

Posted by Sam Ruby at

Heck, few support inline style attributes.

I’m curious what makes you think that. In my experience, very few feed readers make it a rule to strip inline styles. That’s not to say that there isn’t selective stripping of certain kinds of styles, for security or aesthetic reasons, but in general I would expect most inline styles to work just fine.

Posted by James Holderness at

In my experience, very few feed readers make it a rule to strip inline styles.

It would be sad to think that syndication has such a short term memory that lessons such as these are soon forgotten.

Posted by Sam Ruby at

What’s the right way to link CSS within an Atom file?

Ironically, <font> tags work best.  Or more generally: presentational markup.  <font>, <center>, <big>, <small>, <s>, <u>, <b>, <i>.  <xmp> and <plaintext> are also fun, for different reasons.

Sam added “safe CSS parsing” to the Universal Feed Parser about a year ago, which I didn’t think could be done.  I’m still not convinced that some weird combination of escaping couldn’t break it, but I’ve never found anything.

Posted by Mark at

It would be sad to think that syndication has such a short term memory that lessons such as these are soon forgotten.

I thought the lesson learnt was never to subscribe to Mark’s feed. Presentational pranks like that only really affect readers using a “newspaper” view, and even then it’s more annoying than it is damaging. Unsubscribe and the problem goes away. It may be more or an issue for browser-based readers, but I suspect they have learnt to deal with that sort of thing. Stripping all styles seems like overkill, and wouldn’t solve the problem anyway.

Ironically, <font> tags work best.

In general that may be true, but it’s worth noting that I’ve encountered more than one major feed reader that would strip font tags but would allow inline styles (although I haven’t tested recently so things may have changed). Either way, I really don’t think this is a major problem - both forms of stripping are fairly rare.

Posted by James Holderness at

I thought the lesson learnt was never to subscribe to Mark’s feed.

A short while after that, I picked up where Mark left off (example), and while it created a bit of a stir for a while, I did not suffer in terms of subscribers.

And meanwhile, some developers of feed reader turned out to be quite civil.  Others adopted absurd pseudonyms.  Me?  I continue to be subscribed to Mark’s feed.

more annoying than it is damaging

That’s due to restraint on Mark’s and my part.  This explores further into into what might have been had we not exercised restraint.

both forms of stripping are fairly rare.

Here is a discussion from four months ago when a lead developer of a prominent feed reader asserted that most readers completely remove all styles.

I continue to believe that it is very important that feed consumers whitelist what styles they do accept, even if what they end up using is a empy whitelist (i.e., strip all styles).

Posted by Sam Ruby at

I thought the lesson learnt was never to subscribe to Mark’s feed.

But look at what you’re missing!

Posted by Mark at

even then it’s more annoying than it is damaging

You must have missed the part where I constructed a web page that could auto-subscribe you to a feed in Bloglines.  When you combine this with another Bloglines filtering bug, one could create a feed that, when you viewed it in Bloglines, would silently auto-subscribe you to another feed in Bloglines.  Of course the second feed could contain the same exploit.  And by “one could,” I mean “I did.”  Of course both bugs have long since been fixed, but others are surely lurking.

Unsubscribe and the problem goes away.

Yes, because all feeds in the world are produced by a single author and served directly from their own site with no intermediaries.  No one ever creates feeds out of mailing list archives, search queries, source repository commits, or wiki revisions.

Posted by Mark at

Mark wrote:

Sam added “safe CSS parsing” to the Universal Feed Parser about a year ago, which I didn’t think could be done.  I’m still not convinced that some weird combination of escaping couldn’t break it, but I’ve never found anything.

The same algorithm is used in the HTML5lib Sanitizer. There’s an extensive test suite. If we’ve missed something, it would be great to have a testcase.

Note, too, that SVG also presents some interesting sanitization challenges. I believe those are addressed in the HTML5lib Sanitizer, but the subject has not received the same level of scrutiny as sanitizing CSS.

Posted by Jacques Distler at

more annoying than it is damaging

That’s due to restraint on Mark’s and my part.  This explores further into into what might have been had we not exercised restraint.

As I said, people do strip selective styles for security reasons. I thought your reference to Mark’s post was to suggest that there was some other reason why all styles should be stripped.

Here is a discussion from four months ago when a lead developer of a prominent feed reader asserted that most readers completely remove all styles.

I suspect that was mere speculation on his part. I don’t claim to know the workings of every feed reader on the planet, but I do tend to have more data to back up my theories than most - and my evidence suggests the exact opposite of what he is claiming. Even he doesn’t strip all styles anymore.

Posted by James Holderness at

Wordpress Quick Tag: SVG Clip Art

I had heard the advice, but somehow I had not really looked at the actual results. I guess my referenced SVG clip art was causing a bit of a problem in feed readers as the images were only sized via external CSS (which feed readers do not bother...

Excerpt from Something Witty Goes Here at

Add your comment