I think there’s a script injection vulnerability with a site I use, and I’m itching to find a proof-of-concept attack. I haven’t had time, or the chutzpah to pick at it yet, but I did disable their client side verification. I don’t know why it just occurred to me today to make a “Run arbitrary code in the context of the page” bookmarklet.

To use it, drag this: Run Code onto your links toolbar. All the code is:
javascript:(function(){eval(prompt('Run this code on this page:'))})()

1. Standard javascript: protocol and wrapping in a function to prevent being treated as a URL
2. Ask for a string
3. Eval the string

If there’s a client-side script CleanBadCharacters(s), you can run “CleanBadCharacters=function(s){return s}“, no quotes and you’ll need to do a little reading to find the exact validation.

Update: Not an hour after I added that hammer (metaphorically), everything’s looking like a nail. Eval-ing “document.body.style.color='white' ” is useful if someone thinks grey on gray is an acceptable colour scheme.

Here’s a nice little demo:
http://rayozzie.spaces.live.com/editorial/rayozzie/demo/liveclip/liveclipsample/clipboardexample.html
of cutting and pasting objects between different browsers (IR/Firefox)