Help explain how a hacker could perform a XSS exploit. This article explains how a bad-guy could send a malicious query through an unvalidated searchbox and essentially modify the html on the search results page. What I don't understand is how the hacker could have this malicious code display on a page that I am browsing. Except for unvalidated forum posts, how can a hacker inject malicious code into a webpage. If I ensure that my forum posts don't allow HTML and I am not loading external js files, what do I have to worry about?
posted by kaizen on May 22, 2007 - 6 answers