From the RSS 2.0 spec (and originally "from the Netscape 0.91 spec"):

RSS places restrictions on the first non-whitespace characters of the data in
<link> and <url> elements. The data in these elements must begin with http://
or ftp://. Among others, https:, file:, mailto:, news:, and javascript: are
not permitted.

I'd like to suggest one of two possibilities. One, that only these are allowed:

http:// https:// ftp:// news:// mailto:

Or two, that all protocols are allowed. The first suggestion branches out
into more common protocols: https:// (for e-commerce), news:// (not as
important, but still used to point to specific groups), ftp:// (obvious),
and mailto: to point to an email address (thus spawning the user's email
program), as opposed to the <author>, which is just plain text (and
contains no application-spawning abilities, since including full names
confuses the issue).

The second proposal says "ok, well, we shouldn't make that decision for the
end-user", but does weaken security: with javascript:// and file://
allowed, we're potentially giving the producer too much control over the
user's machine.

It's not enough to say "ok, you could use *all* protocols except for
file:// and javascript://", because that inspires a false sense of security
- if we say "these protocols can be used for malicious purposes", that's
suggesting other protocols (currently unknown to us) have been "approved"
for the user's safety.

Myself, I prefer the first option - allowing the five protocols. The
downside, however, is that five years from now, when some other protocol is
popular, the RSS 2.0 spec won't scale for it (without the use of
namespaces).

Thoughts?

--
Morbus Iff ( sleep breeds sanity )
Culture: http://www.disobey.com/ and http://www.gamegrene.com/
Tech: http://www.oreillynet.com/pub/au/779 - articles and weblog
icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus