

Cross-site scripting explained - kungfudoi
http://www.ibm.com/developerworks/rational/library/08/0325_segal/

======
tonystubblebine
I'd never seen a good XSS hack up close but our beta got hit pretty hard by a
viral XSS. It automatically added everyone as a friend and then non-
destructively inserted itself into your profile. What scared me most was that
the javascript was so readable and looked like something I could write. I
saved it: <http://www.stubbleblog.com/foocamp_xss_hack.js.txt>

If you're programming in rails I'd recommend sanitize_params:
<http://code.google.com/p/sanitizeparams/>

