The long and the short of it is that within 30 seconds I could easily find XSS (Cross Site Scripting) vulnerabilities – and I’m not claiming by any stretch to be a web security expert.
Any website that accepts user generated content really does need to make sure that it’s validating and filtering incoming data. It’s far too easy for someone with even the most primitive knowledge of “hacking” to play merry hell with your reputation and customers. Redirecting people to other sites, stealing session cookies, deliberately breaking the site layout, and much much more can be the end result – which really doesn’t look good at all.
So next time someone’s building a web application for you, make sure they aren’t just thinking about SQL Injection vulnerabilities, they’re also thinking about XSS…