Remove any script tags from generated feed xml

[kirrg001]

Hey! 👋

In my opinion node-rss should remove all script (e.g. iframe) tags from a generated feed, because some rss validators show the following warnings/recommendations:

content:encoded should not contain iframe tag
description should not contain iframe tag

These warnings occur if you add custom_elements like

item.custom_elements.push({
  'content:encoded': {
    _cdata: "<iframe width="560" height="315" src="..." frameborder="0" allowfullscreen></iframe>"
  }
});

Refs https://validator.w3.org/feed/docs/warning/SecurityRisk.html

As this is a rule, it might be helpful for everybody. Let me know if you think that the caller should remove script tags by himself.

[ErisDS]

@kirrg001 I'm the maintainer here ;)

I think the best approach for a non-breaking change would be to add a flag that is disabled by default, but when enabled auto-removes iframes? Possibly the same for #49, and then we can turn those features on by default for a 2.0.0 release?! 🤔

[kirrg001]

yeah great idea 👍

[jochenkirstaetter]

Hi,

That would be great. Discovered today that my automatic blog post distribution using Feedburner did not fire due to invalid RSS feed. I run into both issue #49 and this one. I'm using Ghost as blogging platform (came from their issue #8442 here).

• XML parsing error: :131:3519: not well-formed (invalid token)
• content:encoded should not contain iframe tag
• content:encoded should not contain script tag
• content:encoded should not contain data-lang attribute

The iframe is related to the Youtube card, and script element is based on the Twitter card in Ghost's editor.

I'm going to apply @ErisDS's ensureValid method from your branch to check whether invalid characters are going to be resolved.

Cheers, JoKi