Limitations on cross site scripting (XSS hereafter) have been troubling me as I try to write enhancements to our library catalog, but the reasons for the prohibition are sound. Without them I could snort your browser cookies (RSnake lists: “cookie/credential stealing/replay/session riding” among the threats, but a well-planned attack could also fetch resources from internal webservers and deliver them to external data thieves).
”). It would be impossible for me to list every possible attack vector, but RSnake takes a good stab at it.
If you allow users to insert HTML in comments, you should be aware of this….