Scenario

Sites that host discussion groups with Web interfaces can be vulnerable to a situation in which a client embeds malicious HTML tags in a message intended for another client. When client-to-client communications are mediated by a server, site developers recognize that data input is untrustworthy when it is presented to other users. Most discussion group servers either will not accept such input or will encode or filter it before sending to other readers. However, you cannot depend on third-party developers of every site to filter malicious code. To secure your networks, you should protect against these attacks, rather than rely on the administrators of external servers.

For example, an attacker might post:

Hello message board. This is a message.
<SCRIPT>malicious code</SCRIPT>
This is the end of my message.

When victims with scripts enabled in their browsers read this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>.