Excellent reading for web engineers: How to consume RSS safely.
Mark lists 10 HTML elements that must be stripped to safely display HTML from an RSS feed. He mentions stripping style attributes from RSS, but fails to mention an even more imporant set of attributes: the JavaScript event attributes.
Sure, you’ll want to leave <img> tags in the RSS feed, but what about those nasty onmouseover="..." attributes?
onMouseOver is the least of your concerns; onLoad doesn’t even require user action (see my comments on Mark’s blog)
RSS Security Check for Readers
To check whether your favorite feed reader has implemented the necessary precautions against common attacks, simply subscribe to the free RSS Security Check: . It currently checks and reports the 10 most common vulnerabilities.