Liferea will silently load content, including scripts, from servers with invalid certificates. This allows a MitM attacker to inject code into most web pages.
Further explanation and test case: https://rya.nc/https-script.html
You can directly do some tests using this rss feed https://raw.githubusercontent.com/damascene/s-check/master/rss.xml from s-check
WebKit 2 pass that test, so this is fixed in 1.12.