I can't seem to find any standard or specs on what HTML tags are allowed in the title or content of RSS feed or ATOM feed items. I was wondering if <form> tags are allowed (as in emails) and whether it can open some CORS/CSRF vulnerabilities.


If a webapp has not been careful and has used GET requests for non-safe actions, it can be exploited by other sites using forged requests. If does not even need any user action because CORS is not enforced on <img> tag where the src attribute can fetch a resource on the victim domain.

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.