Recently, Rob, I and a friend of ours - Clive - were chatting about the possibilities of cross-site scripting vulnerabilities brought about by the vast number of RSS syndication systems floating around.
The following is an unguarded <script> directive. If you’re reading this on my blog then it will, naturally, display. However if you’re reading this entry via some syndication, then it may not.
If we’re wrong then all our fears are unjustified and I’ll get a raft of people complaining about me scaremongering. If we’re right to be worried though then people will disover that their RSS aggregators have at best nothing to worry about and at worst a great big gaping scary security hole of doom. Let’s hope our fears are unjustified.
Update: We have checked and Livejournal seems to be nicely immune to this kind of attack so kudos to those guys for being switched on