"There has been a huge push in recent years to move away from the old habits of early HTML and to leverage CSS for presentation – the fact that it doesn’t work in feed readers is a major pain for people trying to do the right thing. It’s good that we identified a security threat and dealt with it quickly – but it’s not acceptable to stop there. We need to work to get the functionality that we used to have back without reintroducing the security risks. It’s not simple, but it is important."
That’s a valid point, and I’m glad Adrian raises it. As the author of both an HTML/CSS editor (TopStyle) and an RSS aggregator (FeedDemon), this is something that I’ve wrestled with quite a bit. On the one hand, I’ve promoted the power of CSS by creating a web authoring tool tailored for building CSS-based sites, yet on the other hand I’m taking that power away by creating an RSS reader that removes CSS from feeds. What gives?
It all started back in 2003, when Mark Pilgrim’s "platypus prank" illustrated how feeds containing CSS could be a problem. Most RSS aggregator developers (myself included) tackled this problem by completely removing all styles from feed content. Since then, I’ve experimented with stripping only "unsafe" CSS from feeds, and despite Adrian’s claim that doing so requires a lot of work, it’s actually quite easy to do (especially for me, since I already have code in TopStyle that could do this, and it would be painless to plunk it into FeedDemon).
The real problem isn’t security, though: it’s presentation (ironically). Leaving styles intact makes sense if you’re reading one post at a time, but it makes less sense in a river of news where posts from multiple feeds flow down the page. The purpose of a river of news isn’t to retain the presentation of any single post, but instead to provide a common presentation for all posts, making it easy to pick out the ones that interest you. If each post had its own style, you could end up with river of news that looks like a ransom note. Given how some bloggers and MSM outlets will do anything to grab your attention, I’ll wager that outcome is far from unlikely.
Another problem – and this is one that bothers me when I don the TopStyle hat – is that if I followed Bloglines’ approach and permitted a whitelist of inline styles, then feed authors couldn’t use classes defined in an external style sheet. In other words, they’d be forced to resort to using style attributes on individual HTML tags, which kills the maintenance benefit of using CSS in the first place. To me, the best thing about CSS is that it enables storing a site’s presentation in a single file – just change the external style sheet, and that change will be reflected site-wide. This benefit is lost when you use inline styles.
So, perhaps the real question isn’t whether RSS aggregators should support inline styles, but whether they should also support external styles as well? Despite my love for CSS, my vote would be no – not because it would be hard to do, but because of the potential impact on the feed-reading experience.
And if only inline styles are supported, which ones make the cut? Personally, I’d want a smaller whitelist than the one Bloglines supports, and I’d also want to make sure that properties such as "float" don’t impact subsequent posts in a river of news view.
Update: Sam Ruby points out that there’s a Sanitation Rules wiki devoted to this topic.