Here’s something fun: use Firefox 3.6.9 to have a set of Javascript code in a child frame append HTML code to a text box in the parent frame, and content of the string is modified:

what was

<img src="foo.jpg" alt="bar" width="1" height="1" />

becomes

<img alt="bar" width="1" height="1" />

which is pretty pointless…

From what I can see, the insert method gets code matched against an allowed list to prevent XSS (from FF 3.6.9 onwards) – but it breaks a whole lot of things… Will see what the likes of CKedit have done to bridge this – though it looks like this bug only kicked in on 9 Sept 2010…


var startPos = myT.selectionStart;
var endPos = myT.selectionEnd;
var body = myT.value;

myT.value = body.substring(0, startPos) + snippet + body.substring(endPos, body.length);

is a good example…

Sigh…