The default title of documents people create when testing the XSS form is <script>alert('XSS')</script>. The stored value doesn't contain < or > though it just contains < and >. It is NOT stored as HTML. The fact that Google's feed reader renders it as HTML is worrying, to say the least.
Does it just happen on iGoogle homepage or in the Google Reader too? I looked in both (using Ie6) and can't see the problem. I just see the "html" rendered as text, as I'd expect it to be.
Weird indeed guys.
You mean the RSS feed from DEXT.nsf, right?
The default title of documents people create when testing the XSS form is <script>alert('XSS')</script>. The stored value doesn't contain < or > though it just contains < and >. It is NOT stored as HTML. The fact that Google's feed reader renders it as HTML is worrying, to say the least.
Does it just happen on iGoogle homepage or in the Google Reader too? I looked in both (using Ie6) and can't see the problem. I just see the "html" rendered as text, as I'd expect it to be.