<a href=”badplace.com” style=”position: absolute; top:0; left: 0; height: 8000px; width:1000px”></a>
The above piece of HTML code inserted into several MySpaces pages allows the download and installion of malware on unexpecting user’s machines. With the href being so large, should the visitor mis-click any link, they will be redirected to the infected site. The user might not be suspicious on a media rich site such as MySpace, thinking that they need to install a codec to view a video etc.
For developers like myself, this introduces a problem. The rule is never to trust any user provided content and remove scripts, iframes etc. With this exploit, we will need to validate all external links too.