SharePoint 2010: Stop Mixed Content Prompts on RSS Feeds Viewed on SSL-enabled Sites

I started on a new client site last week and my first task was immediately clear: I had to remove the Mixed Content Security prompt on the encrypted SharePoint intranet’s front page. Firebug showed that my browser was making calls to even though the RSS feed was an entirely different address at

My first instinct was to try to see if I could find the feed on HTTPS but did not respond to my request. Then I thought — the only reason my browser would be making calls to feedburner would be for tracking. Although it’s not a critical security threat or waste of bandwidth (the images were 1×1 gifs), I really didn’t want feedburner to collect information about our intranet so I decided it was probably best to just remove all embedded HTML code in the description. After some research, it looked like XSL was likely the best way to do this.

I’m not an XSL pro, but I can get around. My initial search for sample code led me to a promising XSL function (which I can’t find again to link :( ), but functions are only supported in XML namespace 2.0 and SharePoint uses 1.0 in the RSS Web Part. After reviewing the XSL provided in the SharePoint RSS Web Part, I decided to embed the strip-tags template within the GetSafeHTML template that is called for all the different types of feeds.

The following code removes all content within HTML tags (img, a, b, etc) so you’re left with plain-text for the description. Clicking the title of the article to read more, still works, of course. To use this in your own RSS feed, edit the RSS Web Part, click on XSL Editor … at the bottom of the web part panel, and replace the GetSafeHtml template with the following code:

This code basically runs strip-tags on the final output of the description node, and aside from the strip-tags code itself, only adds 4 extra lines to your original XSL :)

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Security, SharePoint
4 comments on “SharePoint 2010: Stop Mixed Content Prompts on RSS Feeds Viewed on SSL-enabled Sites
  1. Mike H says:

    I just ran across exactly the same problem using a Feedburner feed in the RSS WP on an HTTPS site.

    I knew that it'd take some doing to find the original RSS feed on which the Feedburner feed was based, so I figured I'd edit the XSL. Rather than trying to edit directly against SharePoint in that tiny XSL Editor window, I had set up a project in Visual Studio to edit and debug the XSLT and quickly found that I needed extension objects for the ddwrt and rssaggwrt namespaces.

    Googling for that problem led me here where you've provided a nearly perfect solution. The only change I made was to limit the replacement to img tags only, thinking that I might want to preserve other HTML tags.


    • Hey Mike,
      Glad I could help! There is one additional change I want to make: fixing the raw html codes (I forget what they're called.) You know, the way apostrophes show up as "#&146;" If/when I update that, I'll let you know. What does your final code look like, btw?

      • Mike H says:

        Hm. Looks like your feed is targeted to the Windows-1252 encoding. I don't have that issue with my feed. My apostrophes come across as the named character entity "’".

        I guess you'd have to add some sort of XSLT replace function (e.g.… ) to get rid of those Windows-1252-specific numeric entities.

        My version (not fully tested) looks like this:
        <xsl:template name="strip-img">
        <xsl:param name="text"/>
        <xsl:when test="contains($text, '&lt;img')">
        <xsl:value-of select="substring-before($text, '&lt;img')"/>
        <xsl:call-template name="strip-img">
        <xsl:with-param name="text" select="substring-after(substring-after($text, '&lt;img'), '&gt;')"/>
        <xsl:value-of select="$text"/>

  2. rajeev says:

    what if i want to preserve img tag..? plz help

1 Pings/Trackbacks for "SharePoint 2010: Stop Mixed Content Prompts on RSS Feeds Viewed on SSL-enabled Sites"

Leave a Reply