HTML::Defang will turn that into this:
But, if you begin and end your CSS attribute with an end-comment and start-comment instead, HTML::Defang leaves the code looking like this:
Now, granted, this sort of exploit only really hits Internet Explorer users (at least for older versions of IE), but it is a pretty big issue still. This is basically how Samy pwned MySpace, after all.
There is 1 comment on this page. Add yours.
I think defang needs a little updating. Take a look at what happens when you put @media in a