Interesting XSS Vectors.

Publicated on : 1196108570
I saw a post by Gareth on his new XSS vectors. Really impressive ones among them. Of of them caught my eye, because it just executes even if characters are converted to their entities, like htmlspecialchars. because no such characters are used in the vector. This again shows that blacklisting isn't the way to go, replacing isn't the way to go, And I'm prepared to go as far by saying that you should never allow users to insert any HTML at all, ever or you're screwed some day.

This example doesn't even need quotes to execute: