SharePoint 2010: Stop Mixed Content Prompts on RSS Feeds Viewed on SSL-enabled Sites

I started on a new client site last week and my first task was immediately clear: I had to remove the Mixed Content Security prompt on the encrypted SharePoint intranet’s front page. Firebug showed that my browser was making calls to feeds.feedburner.com even though the RSS feed was an entirely different address at cio.com.

My first instinct was to try to see if I could find the feed on HTTPS but https://feeds.cio.com did not respond to my request. Then I thought — the only reason my browser would be making calls to feedburner would be for tracking. Although it’s not a critical security threat or waste of bandwidth (the images were 1×1 gifs), I really didn’t want feedburner to collect information about our intranet so I decided it was probably best to just remove all embedded HTML code in the description. After some research, it looked like XSL was likely the best way to do this.

I’m not an XSL pro, but I can get around. My initial search for sample code led me to a promising XSL function (which I can’t find again to link :( ), but functions are only supported in XML namespace 2.0 and SharePoint uses 1.0 in the RSS Web Part. After reviewing the XSL provided in the SharePoint RSS Web Part, I decided to embed the strip-tags template within the GetSafeHTML template that is called for all the different types of feeds.

The following code removes all content within HTML tags (img, a, b, etc) so you’re left with plain-text for the description. Clicking the title of the article to read more, still works, of course. To use this in your own RSS feed, edit the RSS Web Part, click on XSL Editor … at the bottom of the web part panel, and replace the GetSafeHtml template with the following code:

        <xsl:template name="GetSafeHtml">
            <xsl:param name="Html"/>
            <xsl:choose>
                <xsl:when test="$rss_IsDesignMode = 'True'">
                    <xsl:call-template name="strip-tags">
                        <xsl:with-param name="text" select="$Html"/>
                    </xsl:call-template>
                </xsl:when>
                <xsl:otherwise>
                    <xsl:call-template name="strip-tags">
                        <xsl:with-param name="text" select="rssaggwrt:MakeSafe($Html)"/>
                    </xsl:call-template>
                </xsl:otherwise>
            </xsl:choose>
        </xsl:template>

        <xsl:template name="strip-tags">
            <xsl:param name="text"/>
            <xsl:choose>
                <xsl:when test="contains($text, '&lt;')">
                    <xsl:value-of select="substring-before($text, '&lt;')"/>
                    <xsl:call-template name="strip-tags">
                        <xsl:with-param name="text" select="substring-after($text, '&gt;')"/>
                    </xsl:call-template>
                </xsl:when>
                <xsl:otherwise>
                    <xsl:value-of select="$text"/>
                </xsl:otherwise>
            </xsl:choose>
        </xsl:template>

This code basically runs strip-tags on the final output of the description node, and aside from the strip-tags code itself, only adds 4 extra lines to your original XSL :)

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Security, SharePoint
4 comments on “SharePoint 2010: Stop Mixed Content Prompts on RSS Feeds Viewed on SSL-enabled Sites
  1. Mike H says:

    I just ran across exactly the same problem using a Feedburner feed in the RSS WP on an HTTPS site.

    I knew that it'd take some doing to find the original RSS feed on which the Feedburner feed was based, so I figured I'd edit the XSL. Rather than trying to edit directly against SharePoint in that tiny XSL Editor window, I had set up a project in Visual Studio to edit and debug the XSLT and quickly found that I needed extension objects for the ddwrt and rssaggwrt namespaces.

    Googling for that problem led me here where you've provided a nearly perfect solution. The only change I made was to limit the replacement to img tags only, thinking that I might want to preserve other HTML tags.

    Thanks.

    • Hey Mike,
      Glad I could help! There is one additional change I want to make: fixing the raw html codes (I forget what they're called.) You know, the way apostrophes show up as "#&146;" If/when I update that, I'll let you know. What does your final code look like, btw?

      • Mike H says:

        Hm. Looks like your feed is targeted to the Windows-1252 encoding. I don't have that issue with my feed. My apostrophes come across as the named character entity "&rsquo;".

        I guess you'd have to add some sort of XSLT replace function (e.g. http://stackoverflow.com/questions/7520762/xslt-1… ) to get rid of those Windows-1252-specific numeric entities.

        My version (not fully tested) looks like this:
        <xsl:template name="strip-img">
        <xsl:param name="text"/>
        <xsl:choose>
        <xsl:when test="contains($text, '&lt;img')">
        <xsl:value-of select="substring-before($text, '&lt;img')"/>
        <xsl:call-template name="strip-img">
        <xsl:with-param name="text" select="substring-after(substring-after($text, '&lt;img'), '&gt;')"/>
        </xsl:call-template>
        </xsl:when>
        <xsl:otherwise>
        <xsl:value-of select="$text"/>
        </xsl:otherwise>
        </xsl:choose>
        </xsl:template>

  2. rajeev says:

    what if i want to preserve img tag..? plz help

1 Pings/Trackbacks for "SharePoint 2010: Stop Mixed Content Prompts on RSS Feeds Viewed on SSL-enabled Sites"

Leave a Reply

Your email address will not be published. Required fields are marked *

*