That may not be the best example, but the examples on
http://ha.ckers.org/xss.html show that it is extremely difficult to write a set of regexes or otherwise a black-list filter that can detect all attacks. The following are some examples from xss.html that would require particularly complex regexes to detect.
Code: Select all
<IMG SRC=javascript:alert('XSS')><<SCRIPT>alert("XSS");//<</SCRIPT>
<iframe src=http://ha.ckers.org/scriptlet.html <
žscriptualert(EXSSE)ž/script
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
That is one reason why BBCode and other markups are popular: no HTML tags are allowed at all. And of course, the alert() is just one example of a javascript snippet that could do harm. An actual hack would involve capturing keystrokes and sending them to some server via ajax or reading private data using ActiveX or who knows what else.
I ran into a vulnerability, for example, where the display of a username was not escaped on a customer service app with financial info. It would potentially allow a hacker to set a short snippet as their username and inject a keylogger that would persist in a parent frame. All you would need to do is call customer service. When they pull up that file, the CS agent would notice nothing out of the ordinary, but the script could extract info about other customer accounts when the CS agent pulled up other accounts on subsequent calls.