I found this after looking at the HTML of a post with META and STYLE tags on monday' WTF thread. I did wonder why the code processing the post didn't strip out this tags. So I do a little test and found that SCRIPT tags are striped out from the HTML but tag attributes not, so you can easily add an onLoad event that fires the javascript you want.
How can you solve this… the common approaches to the problem are:
- Completely disallow the HTML code by escaping the user input.
- Allow only specific tags. Preferabily by making use of special code (like UBB code) to represent those specific HTML tags.
- Filter out the javacript (or other active scripting) from the HTML code.
Of course in order to do that you will need the source code (ok not completely necessarily but practically true).
Anyway, it's not easy to completely protect from XSS attacks in sites where there is active content (especially if the content can be uploaded by the users) but the little protection this forum software seems to have (striping out SCRIPT tags) seems almost like a joke.