It's effectively the same as SQL injection except it poses immediate threats to users rather than the server.
I remember a fairly major piece of forum software had an XSS vulnerability in the code that displays the popup in the middle of the screen when you receive a PM, someone was messing around and send out a bunch of PMs basically with the code inside the subject field, which caused a webpage from their webserver to be loaded in a frame over the top of the current page so it still looked like it was connected to the same site. It can be an easy method of phishing if used right with a replica page.
Aka, escape everything.
Sorry, you need to Log In to post a reply to this thread.
