Yesterday I learned that all our RSS feeds fail to render in IE7. This was a surprise, as feeds are often the least worrysome areas of output, normally bypassing rendering and compatibility issues. IE7 reported:

This feed contains a DTD (Document Type Definition). DTDs are used to define a structure of a webpage. Internet Explorer does not support DTDs in feeds.

We defined a DTD only to ensure encoding of certain characters, as a number of our feeds are generated from (x)html based, content-managed information and often have content mishandled via software such as MS Word. In the past we have had some problems providing editing tools to suit certain departments resulting in encoding and character-set problems, and the DTD assured us some control over this.

The Microsoft RSS Blog outlines the reason for the failure:

Feeds that reference a DTD are not supported by the RSS Platform. A DTD is used to help XML parsers with validation of the document. However, DTD validation is a potential source of security issues for XML parsers, and validation is not required for feeds to work correctly in aggregators.

The MSDN article referred to outlines situations where a malicious DTD could be used to launch a DoS attack from an untrusted source. Our fatal DTD however, was inline:

<!DOCTYPE rss [<!ENTITY pound “&chr(34)&”£”&chr(34)&”>]>

I can’t say I’m wholly impressed that my implicitly trustworthy (requested) content has, according to IE7, untrustworthy components.

The solution is -unsurprisingly- to remove the DTD entry – I call this a proprietary hack – and to keep an eye on the entities which have for operational reasons failed us in the past.