Comment by thih9
2 days ago
You are right. At the same time this is a very common issue and an attack vector[1][2][3]. E.g.: an existing book called "<script>alert("!Mediengruppe Bitnik");</script>" is still not shown correctly by some websites[4].
[1]: SQL injection: https://en.wikipedia.org/wiki/SQL_injection
[2]: Cross-site scripting: https://en.wikipedia.org/wiki/Cross-site_scripting
[3]: Exploits of a Mom (Bobby Tables) XKCD: https://xkcd.com/327/
[4]: https://www.tomlinsons-online.com/p-16381221-scriptalertmedi...
I used this technique on an auction site once. It allowed the script tag in my username, so I used it to remove the "bid" button once I had bid -- nobody behind me could outbid me.
It went about as well as you would expect using it for fraud. Which is to say, not well at all (;´Д`)