I listen regularly to security now, and there has been a lot of talk lately about cross site scripting vulnerabilities on blogs and websites.

For a more detailed writeup of what cross site scripting is than I could ever produce, check out trusty wikipedia.

Aaron's really basic overview

For a really basic overview, here it is. Basically, in html documents (such as this one) you can put client side code (javascript, generally but it can be many flavors) anywhere on the page.

You can completely mix content and code however you want.

Now, years ago, when the web was young, and pretty much a 1 to many broadcast medium. (I post content, you look at content, nothing more) this was not a problem. The only way you could make my server spit out content was to get my ftp credentials.

The problem comes when you accept content from users.. which is all the rage with the young kids ever since... 1995? ; )

So, I have a guest book on my site. If that content is not properly checked, a you could include a line of code that would kick all users that hit that web page to a porn site... or cover it in platypuses. Worse still, you could include a line of code that would have javascript send you a copy of all the user's session cookies.. which would allow you to pose as them on the website.

Not a big deal for your average blog.. but amazon.com? banking? You get the idea.

Solution: uh.. browser manufacturers?.. w3c? turn that stupid crap off!

With current html standards and practices.. there is absolutely zero need for tag attributes that execute code such as 'onclick' 'onmouseover' etc. There is also absolutely zero reason a <script> tag should ever be found mixed in with content. Most useage of both at this point is due to either backward compatibility with really old browsers, or sheer laziness.