In his post Or, maybe more strict Phil Ringnalda writes
I've been idly thinking about starting a campaign to get RSS/Atom aggregator authors (and validator authors, as well) to be a little less strict and dogmatic about what feed content is uniformly evil, and must be stripped out in all cases. We have a roughly shared (and mostly unexamined) set of standards, mostly based on Mark Pilgrim's groundbreaking post, saying that you should never allow, among other things, any Javascript, any CSS styles, or any object or embed elements...But, the inevitable but: the more you look, the more evil there is in the world...Or, say you have a Windows program embedding the IE browser control. You've carefully managed your security zone, so objects are no more dangerous than they are in general, you only display one entry at a time so CSS is no danger, and you've built your own popup blocker so you don't have any reason to strip Javascript. Then I come along again (maybe you should just refuse to subscribe to any of my feeds?), and drop in a simple little paragraph: <p style="height: expression(alert('gotcha'))">.
object
embed
<p style="height: expression(alert('gotcha'))">
To the best of my knowledge none of these things is a problem for RSS Bandit. As Phil points out in his post when you embed the IE browser control, you can actually either choose your security zone which is exactly what RSS Bandit does. By default RSS Bandit disables Javascript, ActiveX and Java applets. This is fully configurable by end users because we provide the option to change the web browser security settings use by RSS Bandit.