I'm not sure if this has been done before, but it might prove to be another way cross-site scripting is dangerous.

Right now I'm trying to create a global index of all corporate blogs on my new site www.blogsbycompany.com. I'm waaay off the target now, but it's a pet project I'm playing with at the moment (don't bother going to it - yet). Regardless, I'm seeing that people put HTML into their RSS feeds; I'm noticing it all over the place (and it does make sense). My site aggregates company blogs (I have about 8 thousand blogs right now - but, I'm not advertising the site because it's way off of where I want it), but I'm noticing that sometimes I get encoded JavaScript in my blog descriptions (I'm making sure that people are properly encoding the script or else I encode it for them before displaying it in the results page on my search site).

What this tells me is that if someone out there is poorly doing a web bot or a RSS aggregator site, they could potentially open their viewers up to someone running script in the browser or on the cilent through RSS feeds. Most people simply expect the RSS content to be nicely formatted, but if they foolishly try to decode script, they could really cause some damage to their readers.