Security researchers Mario Gomes and Soroush
Dalili reported that since Mozilla allows the pseudo-protocol feed:
to prefix any valid URL, it is possible to construct feed:javascript:
URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript:
URLs and thus contribute to cross-site scripting (XSS) problems on these sites.