hi5 and XSS

hi5 and XSS

Well for the ones who don't know hi5 is a social network site that a lot of people use. They've now changed their look and had some new functionalities, including being able to use some HTML tags.
When I read that one single thing just came up to my mind, XSS. I had to try to it, after all we've seen hi5 developing team having some developing problems such as identifying established sessions (yes, I know it can be a living hell to handle distributed sessions prior to tomcat 5, and that could be the problem).

Anyway I've read in their small explanation that I could use <img> tags, so my first attempt was to directly inject the script

Gladly it didn't work! But right after that I give it a try with a mouseover like this:

And there it was, an alert was poping in my page, after that I tried with a window.open(URL) script and once again I managed to popup a new window with the given URL, what if was an hi5.com spoofed page asking for user and password? Not to mention stealing cookies, managing properties, if we have an open window for javascript we can do almost anything!

I'm reporting back to hi5.com developing team also. But the most probable is that for some time everyone can have some fun (and steal some passwords) in the hi5 community.

I know nobody is perfect, and everyone makes mistakes, and maybe I'm being a bit rush with the hi5 dev guys, but nowadays XSS is like the first security problem every developer must check! For those who are interested and still don't know how to do it, here's a link on how to prevent it.