Screaming Penguin - Source Does Matter

CERT has issued a new advisory detailing the abuse of certain HTML tags. The malicious code can be used in forms, forums, posts, cookies, etc (HTML enabled email readers?.) Many web sites and web applications are potentially affected by this vulnerability.All sites that generate dynamic content based on input should be checking the validity of all input. That is easier said than done. As more and more sites are employing substantial DHTML this is an ever increasing issue.This exploit method has long been known and it is encouraging to see it finally being taken more seriously. Many sites and or programs are already prepared and disable the use of HTML tags in input (for example with phorum it is a configurable option.) Other sites know of the risk and have opted not to protect against it by choice (to allow full functionality for non malicious users) or to allow only certain HTML tags. Many others still have no concept of the vulnerability. Whatever the case may be, everyone should be aware of the problem and the potential.Check the cert link for further details.   CERT: HTML Tags Advisory