As a website security consultant, Cross Site Scripting or XSS vulnerabilities are something that I see just as often as the always popular SQL Injection attack.
The first example is a simple one. Many sites allow user comments. A user could quite easily enter:
Any user that hits this affected page, will now see a popup box with the text “script!”. The user could also just as easily have entered a script source of http://www.nastydomain.com/nastyscript.js which will be downloaded and executed.
Fortunately the solution is simple. Either use htmlentities() to ‘escape’ HTML entities, i.e. converting <‘s to < etc. Or, use strip_tags, to remove all HTML tag input.