With all of the buzz surrounding the latest offering in the social applications arena - Ning - it's easy to forget that any site out there can be susceptible to one of the more difficult to prevent attacks - cross-site scripting. And, on this note, the PHP Security Blog has this new post about some of their findings.

Yesterday several PHP blogs and news sites announced the launch of ning, which is the newest project of Marc Andreesen and is meant to be a playground for building and using social applications. These applications are implemented in a stripped down (or sandboxed) version of PHP and can be created by cloning or merging already existing ning applications or by directly writing them with their PHP API.

I must admit that I was very amused after I had put "><script>alert("Obviously very well audited...");</script><blub into any of the input fields on the register and password forgotten pages. It seems that not a single field on their page is protected against XSS attacks and therefore it is wide open to password and cookie snatching attacks.

He suggests that with that kind of issue even on the pages before gettting into the actual meat of the development process cannnot bode well for the rest of the service. Haing played around with it a little bit myself, I did find myeslf pulling up information from *a* content store, but not, apparently, mine with a few incorrect commands.

Does it have problems? Sure, every application does - especially one that has this kind of scale, but another once-over might be in order...