"Defence comes back to proper output encoding, and input validation."
Amen brother and"; DELETE FROM TABLE COMMENTS WHERE USER LIKE '%'
It has been 10 years since Sydney security bod Wade Alcorn disclosed how cross-site scripting vulnerabilities could be weaponised, a revelation that would one week later see the proof of concept become the fastest-spreading worm ever. There is no direct link between Alcorn's disclosure and Samy Kamkar's eponymously named worm …
Argh. XSS and SQL injection are so very different.
document.getElementById("body").value="pwned"; document.forms[0].submit();
(I'd have enclosed that in script tags to make it look right, but that dumps me on some Cloudflare captcha page. So apparently Cloudflare are, in fact, doing some sort of input blacklisting for the Reg. Bah. Sanitize on input and generate output correctly. Don't filter - it's ugly and leads to a lousy user experience.)