A popular [URL="http://www.rssreader.com/"]RSS-Reader[/URL] seem to have some kind of XSS-flaw in the application that treats normal written text as embedded html-code.

As the result below illustrates, everything entered in a thread or a blog wherever it might be published, the content won't be converted to secured text. Instead, it will treated as pure embedded html-code. All code don't work properly, some calls are rejected by the internal browser, but if you have a bit more knowledge about scripting, the possibilities may grow a bit larger, to execute arbitrary code remotely..



[IMG]http://www.tornevall.net/storage/files/1191189600/1191237477_threaded_XSS.jpg[/IMG]



[B][SIZE=3]Result:[/SIZE][/B]

[IMG]http://www.tornevall.net/storage/files/1191189600/1191237120_RSSReader_1.0.88.0.jpg[/IMG]