I'm currently building an app that renders RSS and ATOM Feeds on the client side. I can't directly send an ajax request to "http://stackoverflow.com/feeds/tag/php", but I can send a request to my server that just echos the XML File like:
<?php
echo file_get_contents('http://stackoverflow.com/feeds/tag/php');
?>
What are the security implications(if any) on doing this?
StackOverflow is now allowed to hack the data your clients get and replace it with something malicious or annoying. (To be fair, they could even if you were able to use the URL directly.)
Your clients are now allowed to cause your server to make a lot of requests to StackOverflow, who may block you for DOSing the site or something like that. (I do hope you apply a modicum of caching.)
You may be able to use the Filter functions to sanitize the data before the echo. In general, unless the host you're getting the data from is controlled by you and doesn't allow general users to upload or add data that will be echo'ed then I wouldn't trust it. You just don't ever know what someone might be able to get through.
I would write a script which would run on cron and fetch the data and write your own database/filesystem/cache (your choice) and give them to users asychrously. You never know how slow the other server responds and if it really responds slow, it also slows your site.
You have to send
header('application/xml');
Then the client will handle it as XML, and no XSS can occur as far as I can tell.