Ben Smith and I are attending Social Graph Foocamp this weekend – this is his post on the BBC development blog – which we’re setting free here on my blog.

While this isn’t a topic that anyone is talking about here, I was struck by a throw away comment by Brad Fitzpatrick about the possibility of Microformat Injection. Everyone knows about XSS and only the worst developers leave themselves exposed by allowing JavaScript through form submissions. However, allowing a subset of HTML through in requests, to then be published in, say, profile pages, is quite standard.

I’m not sure if it would ever be particularly dangerous but Microformat Injection could be used to insert ‘rel=”me”‘ tags to pages as <a> tags are quite regularly allowed through. Now I’m not very knowledgeable about Microformats (RDFa seems shinier) so I’ll leave it up to you to think up some interesting Microformat Injection exploits. Please comment if you think of any!