Half an hour of research has shown that still many websites don’t filter their HTML for potential XSS attacks. I just entered the simple search term “<script>alert(1)</script>” into search boxes of well-known news sites in the USA, UK and Germany. I got 7 results of vulnerable websites. Some of them just include the search term unescaped into the website, others get in trouble when including the term inside embedded JavaScript strings. In the latter case I had to change the term a bit to get the script executed. The following sites are vulnerable:
Should check your code, guys and learn …
Andi 17:31 on April 17, 2009 Permalink
Bob: Try it again without script tags – it’s in the index now. Why delayed – I don’t know. But believe me, I have tested that before publishing this post.
Anonymous: Search terms can be included in the URL in all examples. Click on the links to the sites in the list above and you see it.
Anonymous 02:07 on April 16, 2009 Permalink
I don’t think this is a security issue, because search terms are never displayed to *other* users.
Bob 00:57 on April 16, 2009 Permalink
I tried searching for “alert(1)” on this site. (I bet I’m not the only one.. some things are just obvious.)
I got no responses. Not only are you safe, but this article hasn’t been indexed yet. ;)