I thought that, now that IE7 has shipped, I would give it a run and see whether this evil thing passes a basic smell test.

Case in point, after checking out that the RSS store is still unencrypted, I went on to try whether the feed items would at least enforce a CRC checksum mechanism to prevent silent third-party alteration.

Sure enough, wrong again. I took a simple hex editor and changed a letter in one of the feed items. In Robert Scoble's blog, I changed the Oh for a Ah right after the "Second in a series" words. As seen in the screen captures below, before and after the change.


The original RSS feed item


The feed item in IE7 after the manual change

I then went on to make more radical changes. It all gets through without a warning or error or anything. What IE7 does is filter out a feed item if it sees blatant scripting instructions in it. That's good...when you don't know that most real scripting hacks are not blatant...

I can't even start to imagine the number of nefarious purposes that the lack of CRC checksum lets in. In any case, I think the entire security team over at Microsoft IE team must be fired right away.