TLDR: Which RSS tags are rendered as HTML, instead of being treated just as text? <description> is one of them.
I'm generating RSS feed from users input. I keep their original texts in the DB and escape on output when rendering HTML, so that it's not treated as HTML markup, but just as text.
I want to apply the same strategy to RSS feeds. I always escape for XML, but I'm not sure which RSS tags require HTML escaping.
<description> requires HTML escaping for sure, as I don't want the users input to be treated as HTML and RSS clients do HTML–parse descriptions.
For example, a user enters <b>test</b>, so I escape it for HTML (<b>test</b>) and finally for XML so that it's outputted like <description>&lt;b&gt;test&lt/b&gt;</description>.
Which tags require HTML–escaping besides description?
I assume it's up to the RSS client to decide, but what's the common practice? What is that most clients do?
No comments:
Post a Comment