In forums with every post, they serve member blog feed via a tiny line under member name, displaying the title of the newest entry. With a bug of not converting essential HTML reserved literals such as < and > to HTML entities but leaving them as the real characters, I am able to inject HTML code into every page I have posts in.
After entering the feed address of this blog, all forum pages with my posts start to picking up this feed and the newest entry title with an injection line in it. This simple line of HTML runs shawn.js located at http://7.charmhtml.com on the particular DP forum page. Each and every visitor coming to that page, will spot that funny little new Shawn logo I’ve replaced with the old DP forum one.
What more can I do with an injection
While you are able to do all these, you can redirect visitors to another site, put on your own banner ads, trigger a popup window and even spread viruses.
How to prevent it