Response: On Stripping Styles for Security

Adrian Sutton blogs about the lack of CSS support in RSS aggregators, and concludes:

"There has been a huge push in recent years to move away from the old habits of early HTML and to leverage CSS for presentation – the fact that it doesn’t work in feed readers is a major pain for people trying to do the right thing. It’s good that we identified a security threat and dealt with it quickly – but it’s not acceptable to stop there. We need to work to get the functionality that we used to have back without reintroducing the security risks. It’s not simple, but it is important."

That’s a valid point, and I’m glad Adrian raises it. As the author of both an HTML/CSS editor (TopStyle) and an RSS aggregator (FeedDemon), this is something that I’ve wrestled with quite a bit. On the one hand, I’ve promoted the power of CSS by creating a web authoring tool tailored for building CSS-based sites, yet on the other hand I’m taking that power away by creating an RSS reader that removes CSS from feeds. What gives?

It all started back in 2003, when Mark Pilgrim’s "platypus prank" illustrated how feeds containing CSS could be a problem. Most RSS aggregator developers (myself included) tackled this problem by completely removing all styles from feed content. Since then, I’ve experimented with stripping only "unsafe" CSS from feeds, and despite Adrian’s claim that doing so requires a lot of work, it’s actually quite easy to do (especially for me, since I already have code in TopStyle that could do this, and it would be painless to plunk it into FeedDemon).

The real problem isn’t security, though: it’s presentation (ironically). Leaving styles intact makes sense if you’re reading one post at a time, but it makes less sense in a river of news where posts from multiple feeds flow down the page. The purpose of a river of news isn’t to retain the presentation of any single post, but instead to provide a common presentation for all posts, making it easy to pick out the ones that interest you. If each post had its own style, you could end up with river of news that looks like a ransom note. Given how some bloggers and MSM outlets will do anything to grab your attention, I’ll wager that outcome is far from unlikely.

Another problem – and this is one that bothers me when I don the TopStyle hat – is that if I followed Bloglines’ approach and permitted a whitelist of inline styles, then feed authors couldn’t use classes defined in an external style sheet. In other words, they’d be forced to resort to using style attributes on individual HTML tags, which kills the maintenance benefit of using CSS in the first place. To me, the best thing about CSS is that it enables storing a site’s presentation in a single file – just change the external style sheet, and that change will be reflected site-wide. This benefit is lost when you use inline styles.

So, perhaps the real question isn’t whether RSS aggregators should support inline styles, but whether they should also support external styles as well? Despite my love for CSS, my vote would be no – not because it would be hard to do, but because of the potential impact on the feed-reading experience.

And if only inline styles are supported, which ones make the cut? Personally, I’d want a smaller whitelist than the one Bloglines supports, and I’d also want to make sure that properties such as "float" don’t impact subsequent posts in a river of news view.

Update: Sam Ruby points out that there’s a Sanitation Rules wiki devoted to this topic.

ANN: TopStyle 3.5 RC3

OK, I lied: RC2 was not the last release candidate before TopStyle 3.5 goes final.  RC3 has just been released – for download details and release notes, please stop by the TopStyle Beta Site.

Most of the changes in RC3 are minor additions and fixes, but there is one big change: TopStyle’s site reports now support multiple class names (ex: <p class="one two">).  This is a long-overdue addition, and I’m glad to finally have it in.

Did I Sell Out (Part II)?

When I asked “Did I Sell Out?” yesterday, I was more than a little worried about the response I’d get.  So I’m both flattered and relieved to see so many positive comments.  My thanks to everyone who took the time to reply.

Of course, there were some negative reactions, mostly about TopStyle.  I want to make it clear that TopStyle’s stagnation was just as much my fault as it was NewsGator’s.  It would be easy to blame everything on the “big company that swallowed me up,” but the truth is that NewsGator has been exceptionally good to me.  As Ian Landsman points out, being acquired can be a horrible, demoralizing process – but that hasn’t been the case with NewsGator.  They’ve been very hands-off with my work, enabling me to feel like I’m still an independent developer despite working for such a huge corporation (that’s a joke, folks – we’re a fairly small company).  I won’t say that the acquisition has been easy, but I can’t imagine it being any easier.

Before the acquisition, I was already struggling to find time to update TopStyle due to all the attention that FeedDemon required, and that situation worsened after the acquisition, in part due to the extra work required to enable FeedDemon to support NewsGator’s synchronization platform (and synchronization was the key reason I sought the acquisition).  Really, the bottom line here is that I bit off more than I could chew (both pre- and post- acquisition), and TopStyle suffered as a result.

As many of you know, we’ve been searching for a developer to take over TopStyle for quite some time, and that proved more difficult than we anticipated.  Apparently it’s not easy finding someone (1) with several years of Delphi programming experience and (2) with strong UI skills and (3) who deeply understands the needs of web authors and (4) has the ability to take over such a large project by themselves :)

This search delayed the next version of TopStyle far more than we would’ve liked, but the good news is that we have found someone who meets all four of the above criteria.  I don’t want to announce who it is just yet because he hasn’t officially started, but once he’s up to speed, I’ll introduce him here.  In the meantime, I’ll be working with him to take over TopStyle and define TopStyle 4.0’s feature set – yes, there will be a TopStyle 4.0!

Did I Sell Out?

Every now and then I’ll receive a comment like this one from someone claiming that I “sold out” when I was acquired by NewsGator.

On the one hand, I’m a little flattered by these comments, because they mean that someone relies on my software enough to get pissed off at me. And I try not to take them too seriously, since accusations of “selling out” happen all over the place – for example, every time a rock band changes direction, they’re accused of selling out, regardless of whether that change was for artistic or purely financial reasons.

But it’s hard not to be insulted, and it’s especially stinging when someone suggests that I have “zero attachment” to my software. I’m personally attached to every application I’ve created – I sweated over each one for a long time, and feel personally responsible for every bug, missing feature, and usability problem in them. And to think that my reason for being acquired was just to make money ignores the fact that I was doing just fine financially by selling two fairly popular applications as a one-man show.

Of course, I can understand why TopStyle customers would think I sold out. After all, TopStyle has stagnated since I was acquired by NewsGator. My hope is that making TopStyle 3.5 – which includes some fairly significant new features – a free upgrade will serve in some small part as an apology for taking so long between releases.

Given that I’m a somewhat-independent developer, my reputation means everything to me, and my name would be tarnished – perhaps forever – if I really did sell out at the expense of my software and its customers. Are these accusations of my selling out limited to a few disgruntled customers, or do a lot of people believe that I sold out?

I’d honestly like to know, so please feel free to comment here.

ANN: TopStyle 3.5 Beta

I’m pleased to announce that TopStyle 3.5 – which will be a free upgrade for all 3.x customers – is now in beta. New features in v3.5 include:

If you’d like to give it a spin, stop by the TopStyle Beta Site for details. Of course, since this is a beta release, it comes with the usual warning that you shouldn’t download it unless you’re comfortable using unfinished software.

TopStyle 3.5: Preview With an External URL

People have waited a long time for a new TopStyle, and to make up for this, I wanted to add one more big feature before releasing the first beta of TopStyle 3.5.

I wasn’t sure what to add, but then a customer named Ariba suggested that I add the ability to preview any URL using the style currently being edited.  This struck me as a great idea, so I turned up the music and started coding like a madman to make this feature possible.

Click on the image below to see an example of this feature in action, which shows the current style sheet being applied to CSS Zen Garden.  You can also choose to remove the existing styles from the external URL, so that you see the page styled solely with your style sheet.

I think you’ll find this feature extremely useful, especially when coupled with the new “Box Spy” feature.

TopStyle 3.5: What to call the new "Preview Spy" feature?

The big addition in the upcoming TopStyle 3.5 is a “preview spy” feature which exposes an HTML tag’s margins, padding and content box as you mouse over it in the preview. 

 Watch a Flash movie of this feature

Trouble is, I don’t know what to call this feature.  “Preview spy” isn’t exactly exciting – it’s bland, whereas I think this feature is pretty cool.  CSSEdit for the Mac has a somewhat similar feature called “X-Ray,” but I’m not wild about stealing the name from someone else’s software.

Can anyone recommend a better name?

Update: OK, I’ve settled on the name “Box Spy” for this feature. Many thanks for all the great suggestions!