Abstract
Simplified text for Section 10
Status
Open
Related and Conflicting Proposals
Rationale
Based on WG discussion and feedback from IETF
Proposal
Insert as the body of section 10:
10.1 HTML and XHTML Content
Text Constructs and atom:content allow the delivery of HTML and XHTML to receiving software, which may process it. Many elements in these languages are considered 'unsafe' in that they open clients to one or more types of attack. Implementers of software which processes Atom should carefully consider their handling of every type of element when processing incoming (X)HTML in Atom documents. See the security sections of RFC 2854 and HTML 4.01 for guidance.
Atom Processors should pay particular attention to the security of the IMG, SCRIPT, EMBED, OBJECT, FRAME, FRAMESET, IFRAME, META, and LINK elements, but other elements may also have negative security properties.
(X)HTML can either directly contain or indirectly reference executable content.
10.1.1 URIs
Atom Processors handle URIs. See Section 7 of RFC 3986.
10.1.2 IRIs
Atom Processors handle IRIs. See Section 8 of RFC 3987.