One of the largest "unexpected" flaws that quite a few web sites out there have issue with is cross-site scripting. Sometimes, even the most secure site can be abused with XSS. Of course, it's always good that there are people out there looking out for the community and trying to provide resources to help prevent this rampant issue. This new post from the BitFlux blog is a prime example.

Cross Site Scripting aka XSS is increasingly a problem with a lot of webapps and there's an ongoing discussion on the phpsec mailinglist about that.

We try to prevent that since some time with different approaches. For example, we allow only certain tags in comments (with the help of strip_tags()), we don't make links clickable, and use tidy for further clean up, but we also wrote a little method, which tries to clean the most common exploit attempts with some preg magic. But I doubt, that we catch every possible exploit. Therefore I ask my readers, if they know of some more exploits to further improve this method. The source code of the method can be found here and you can test it out at http://php5.bitflux.org/xss.php.

Even with simple exploits such as this, it's scary to think about what kind of real power that could be if wielded in the wrong hands...