As the Flickrizer extension does not validate any information it recieves from the rss file, it is easily possible to exploit this and insert js into an account page. For an example of this see my profile. You can see how it's done by viewing the rss 'feed': http://sirnot.googlepages.com/flickr.xml

The FeedReader extension, by folletto, also seems to be vulnerable, although is probably less likely to be comprimised as the administrator is the one who chooses the feed url. For an example, if an item is constructed like the following, it will display a message box:<item>
<title>Bla &lt;/a&gt;&lt;script&gt;alert('hi there');&lt;/script&gt;</title>
<link>http://google.com/</link>
</item> I am not sure if FlickrFeed suffers from this same vulnerability or not, as I do not know to what extent flickr will 'parse' the info in the php_serial formatted feed.

It'd probably be easiest to fix by replacing all instances of >, < and " with their html entity equivelents, then making sure urls have a valid protocol. But you'd also want to do something about end parenthesis in the thumbnail url, as people could break out of the url() function-thing and insert some js in the styling. Alternately you could add in qoutes around the url then replace single quotes in the url with entities...