Cross-application scripting (CAS) is a vulnerability affecting desktop applications that don't check input in an exhaustive way.
Like web interfaces, modern frameworks for the realization of graphical applications (in particular GTK+ and Qt) allow the use of tags inside their own widgets.
Typically desktop applications get a considerable amount of input and support a large number of features, certainly more than any web interface.
In CARF the concept of “link” and “protocol” inherited from the web has been extended because it involves components of the graphical environment and, in some cases, of the operating system.
In contrast to XSS techniques, that can manipulate and later execute commands in the users' browser, with CAS it is possible to talk directly to the operating system, and not just its graphical interface.