I can't seem to find any standard or specs on what HTML tags are allowed in the title or content of RSS feed or ATOM feed items. I was wondering if <form> tags are allowed (as in emails) and whether it can open some CORS/CSRF vulnerabilities.

If a webapp has not been careful and has used GET requests for non-safe actions, it can be exploited by other sites using forged requests. If does not even need any user action because CORS is not enforced on <img> tag where the src attribute can fetch a resource on the victim domain.

@nilesh If memory serves, the description of an RSS item can have any HTML so long as it's content-encoded. CORS I would think would be an issue if there were forms since a number of readers cache content so you wouldn't be able to use a CSRF token.

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.