Security:services should consider what media types they support

OData supports serving arbitrary media types stored in media entities streams, streamed properties, and binary properties that can be retrieved in their native format using $value.

While this is certainly useful, for example in serving pictures directly from the ODataURL, there is a risk that this may be abused by attackers, for example by uploading ‘text/html’ content which contains a Cross-Site-Scripting payload. Once a user views this payload, it can then be used to make arbitrary OData calls and exfiltrate data, possibly crossing an intranet/internet boundary.

In general, anything that returns a content type of the client choice (as text/html, javascript, etc.) may cause typical web application attacks.