OData supports serving arbitrary media types stored in media entities streams, streamed properties, and binary properties that can be retrieved in their native format using $value.

While this is certainly useful, for example in serving pictures directly from the ODataURL, there is a risk that this may be abused by attackers, for example by uploading ‘text/html’ content which contains a Cross-Site-Scripting payload. Once a user views this payload, it can then be used to make arbitrary OData calls and exfiltrate data, possibly crossing an intranet/internet boundary.

In general, anything that returns a content type of the client choice (as text/html, javascript, etc.) may cause typical web application attacks.