Message

element should not contain script attribute

Explanation

Some feed elements are allowed to contain HTML. However, some HTML attributes, like onclick, are potentially dangerous and could cause unwanted side effects in browser-based news aggregators. In a perfect world, these dangerous attributes would be stripped out on the client side, but it's not a perfect world, so you should make sure to strip them out yourself.

The list of dangerous attributes varies from browser to browser, and even from browser version to browser version. As such the Feed Validator takes a white-list approach, and only accepts the following attributes:

abbr, accept, accept-charset, accesskey, action, align, alt, axis, border, cellpadding, cellspacing, char, charoff, charset, checked, cite, class, clear, cols, colspan, color, compact, coords, datetime, dir, disabled, enctype, for, frame, headers, height, href, hreflang, hspace, id, ismap, label, lang, longdesc, maxlength, media, method, multiple, name, nohref, noshade, nowrap, prompt, readonly, rel, rev, rows, rowspan, rules, scope, selected, shape, size, span, src, srcset, start, summary, tabindex, target, title, type, usemap, valign, value, vspace, and width

Solution

Consider removing the potentially unsafe HTML attribute. At a minimum, ensure that your content will still display as intended if this attribute is stripped by security conscious clients.

Not clear? Disagree?

You might be able to find help in one of these fine resources.

Copyright © 2002-4 Mark Pilgrim and Sam Ruby