“A web site may inadvertently include malicious HTML tags or
script in a dynamically generated page based on unvalidated input
from untrustworthy sources. This can be a problem when a web
server does not adequately ensure that generated pages are properly
encoded to prevent unintended execution of scripts, and when input
is not validated to prevent malicious HTML from being presented to
the user.”
“Most web browsers have the capability to interpret scripts
embedded in web pages downloaded from a web server. Such scripts
may be written in a variety of scripting languages and are run by
the client’s browser. Most browsers are installed with the
capability to run scripts enabled by default.”
“Many Internet web sites overlook the possibility that a client
may send malicious data intended to be used only by itself.”
“In addition to scripting tags, other HTML tags such as the
<FORM> tag have the potential to be abused by an
attacker.”