Aha. I see what you mean now. I managed to reproduce it and I too had to terminate IE.
If you look at this post Link you'll see an example of a naughty HTML IMG tag about 2/3 the way down. This isn't stored as HTML and the XML for the feed doesn't contain any HTML for an image with an expression used for the style (IE only).
My guess is that Google is "encoding" the HTML for transit and then "decoding" it for display. The img tag in my example must somehow get decoded as HTML as they haven't double-encoded the & of the < that is stored. Only a guess though. I'd have to look in to it more but can't afford the time as I don't see it as an issue with my content.
It is worrying though! If I were you I wouldn't use feeds on iGoogle as that seems like a massive hole in the security to me. If you subscribe to this site's comment feed then you're open to attack by any of the readers who post, as they too could execute code on your browser (and steal your google session!?) by posting naughty HTML on my site. Although I protect the site and readers by replacing any < with a < it looks like Google is converting them back again.
I might look in to this some more if I get chance...
Aha. I see what you mean now. I managed to reproduce it and I too had to terminate IE.
If you look at this post Link you'll see an example of a naughty HTML IMG tag about 2/3 the way down. This isn't stored as HTML and the XML for the feed doesn't contain any HTML for an image with an expression used for the style (IE only).
My guess is that Google is "encoding" the HTML for transit and then "decoding" it for display. The img tag in my example must somehow get decoded as HTML as they haven't double-encoded the & of the < that is stored. Only a guess though. I'd have to look in to it more but can't afford the time as I don't see it as an issue with my content.
It is worrying though! If I were you I wouldn't use feeds on iGoogle as that seems like a massive hole in the security to me. If you subscribe to this site's comment feed then you're open to attack by any of the readers who post, as they too could execute code on your browser (and steal your google session!?) by posting naughty HTML on my site. Although I protect the site and readers by replacing any < with a < it looks like Google is converting them back again.
I might look in to this some more if I get chance...
Jake