Avoid Using "< [Cdata[ ]]>" in RSS

Avoid Using "< [Cdata[ ]]>" in RSS(waspdev.com)

20 points by surprisetalk 3 days ago | 13 comments

Sephr 9 hours ago |

Manual string replacement with a hardcoded list of cases for escaping as suggested by the article isn't good advice for the use case of 'support inserting arbitrary text'.

Do use CDATA nodes, but only work on XML with an actual XML DOM library instead of string manipulation. Browsers have these built-in (DOMParser).

blenderob 6 hours ago | |

I totally understand the general advice of using actual XML DOM library for making DOM. But for my own understanding, I want to ask why the 5 escapes the OP suggests (&, <, >, " and ') aren't good enough? Do you see anyway to exploit it if these 5 are escaped? Someone kind enough to enlighten me?

moebrowne 4 hours ago | | |

They are:

> The ampersand character (&) and the left angle bracket (<) MUST NOT appear in their literal form, except when used as markup delimiters, or within a comment, a processing instruction, or a CDATA section. If they are needed elsewhere, they MUST be escaped using either numeric character references or the strings " & " and " < " respectively. The right angle bracket (>) may be represented using the string " > ", and MUST, for compatibility, be escaped using either " > " or a character reference when it appears in the string " ]]> " in content, when that string is not marking the end of a CDATA section.

> In the content of elements, character data is any string of characters which does not contain the start-delimiter of any markup and does not include the CDATA-section-close delimiter, " ]]> ". In a CDATA section, character data is any string of characters not including the CDATA-section-close delimiter, " ]]> ".

> To allow attribute values to contain both single and double quotes, the apostrophe or single-quote character (') may be represented as " ' ", and the double-quote character (") as " " ".

https://www.w3.org/TR/xml/#syntax

aji 9 hours ago |

i never really liked CDATA but i'm not buying the argument here since you can do the escaping with replaceAll("]]>", "]]]]><![CDATA[>") instead of four replaceAlls. (assuming you are writing your own xml serializer in javascript in 2026 for some reason)

senfiaj 7 hours ago | |

Just out of curiosity, I looked at the HN RSS feed and they still use regular escape for titles (and some other things, except description). It means they use 2 versions of escape instead of 1. So why not just use 1?

kijin 6 hours ago | | |

Different requirements.

The description contains HTML markup, such as <p></p> for paragraph breaks. CDATA is a nice and clean way to encode them without breaking anything.

The title doesn't contain any markup, and shouldn't. A good old escape function covers both the "doesn't" part and the "shouldn't" part.

kijin 6 hours ago | |

That assumes that you don't have anything else to escape or sanitize.

I see people stuffing all sorts of HTML tags and nonstandard attributes in an RSS <description>, just because CDATA allows them to do so without breaking the parser. Images, videos, inline SVGs with maybe some scripts inside...

The RSS spec should never have allowed this. Reading a feed would have been much more pleasant (not to mention safer for everyone!) if the contents were required to be in plain text.

tpmoney 33 minutes ago | | |

I’m not sure I understand why this is a problem. RSS is a spec for publishing a list of available content, or publishing the content directly. Formatting that content was always going to be something people wanted to do, so whether it was rich text, html or what became markdown, it was inevitable that aggregators were always going to have to deal with both publishes wanting their publication to have styles and users wanting their aggregator software to either handle that style or hide it.

At least with a cdata tag your being explicitly told “here be dragons”

Pikamander2 8 hours ago |

In my experience, liberal use of CDATA is often the only way to get third-party data-importing software to work correctly.

Whether it's efficient is a far second to whether it successfully imports the data.

Looking at you, WP All Import...

donohoe 6 hours ago |

I would not follow this advice. The most trouble I’ve had with RSS was usually from not having it. I also have never used CDATA at a word level - just wrap the full text block in it.

nreece 9 hours ago |

Imo, ease and multi-line HTML readability of CDATA outweighs that one edge case (it cannot directly contain its own terminator).

senfiaj 7 hours ago | |

But are most people going to read raw RSS? Just out of curiosity, I checked HN RSS, it still escapes character in a regular way (without CDATA) for titles. So, just keep 2 versions of XML escape instead of one?

lapcat 6 hours ago |

I come from a very different, old-school perspective, because I hand-write my blog posts in HTML and also hand-write my RSS feed in XML.

I've found CDATA invaluable, because I can just copy and paste the content from the HTML file to the XML file. I've never used the CDATA terminator characters in a blog post, so that's a non-problem.

DonHopkins 9 hours ago |

The worst use of the <BLINK> tag ever was the discussion held in the early days of RSS about escaping HTML in titles, whose attention-grabbing title went something like this: "Hey, what happens when you put a <BLINK> tag in the title???!!!"

The content of that notorious discussion went on and off and on and off for weeks, giving all the netizens of the RSS community blogosphere terrible headaches, with people's entire blogs disappearing and reappearing every second, until it finally reached a flashing point, when Dave Winer humbly conceded that it wasn't the user's fault for being an idiot, and maybe just maybe there was tiny teeny little design flaw in RSS, and it wasn't actually such a great idea to allow HTML tags in RSS titles.

I Wanna Be <![CDATA[

Sung to the tune of “I Wanna Be Sedated”, with apologies to The Ramones.

  Twenty-twenty-twenty four escapes to go, I wanna be <![CDATA[
  Nothin’ to markup and no where to quo-o-ote, I wanna be <![CDATA[
  Just get me through the parser, put me in a node
  Hurry hurry hurry before I go inline
  I can’t control my syntax, I can’t control my name
  Oh no no no no no
  Twenty-twenty-twenty four escapes to go….
  Just put me in a stylesheet, get me in a namespace
  Hurry hurry hurry before I go inline
  I can’t control my syntax, I can’t control my name
  Oh no no no no no
  Twenty-twenty-twenty four escapes to go, I wanna be <![CDATA[
  Nothin’ to markup and no where to quo-o-ote, I wanna be <![CDATA[
  Just get me through the parser, put me in a node
  Hurry hurry hurry before I go loco
  I can’t control my syntax I can’t control my name
  Oh no no no no no
  Twenty-twenty-twenty escapaes to go…
  Just get me through the parser…
  Ba-ba-bamp-ba ba-ba-ba-bamp-ba I wanna be <![CDATA[
  Ba-ba-bamp-ba ba-ba-ba-bamp-ba I wanna be <![CDATA[
  Ba-ba-bamp-ba ba-ba-ba-bamp-ba I wanna be <![CDATA[
  Ba-ba-bamp-ba ba-ba-ba-bamp-ba I wanna be <![CDATA[

Twenty-twenty-twenty four escapes to go, I wanna be <![CDATA[ Nothin’ to markup and no where to quo-o-ote, I wanna be <![CDATA[ Just get me through the parser, put me in a node Hurry hurry hurry before I go inline I can’t control my syntax, I can’t control my name Oh no no no no no Twenty-twenty-twenty four escapes to go…. Just put me in a stylesheet, get me in a namespace Hurry hurry hurry before I go inline I can’t control my syntax, I can’t control my name Oh no no no no no Twenty-twenty-twenty four escapes to go, I wanna be <![CDATA[ Nothin’ to markup and no where to quo-o-ote, I wanna be <![CDATA[ Just get me through the parser, put me in a node Hurry hurry hurry before I go loco I can’t control my syntax I can’t control my name Oh no no no no no Twenty-twenty-twenty escapaes to go… Just get me through the parser… Ba-ba-bamp-ba ba-ba-ba-bamp-ba I wanna be <![CDATA[ Ba-ba-bamp-ba ba-ba-ba-bamp-ba I wanna be <![CDATA[ Ba-ba-bamp-ba ba-ba-ba-bamp-ba I wanna be <![CDATA[ Ba-ba-bamp-ba ba-ba-ba-bamp-ba I wanna be <![CDATA[