I wrote the below about 3 months ago (mid july) and published it, but a day later decided to remove the post from my blog – one such exploit like this that was found before took myspace offline for a few hours. It appears myspace have now fixed (well, partly..) the issue I’ve documented here, so I now consider it safe to publish.
Seems I’ve foudn a way of exploiting a hole in myspace’s XSS filters!
Myspace block all kinds of common XSS exploits from your profile, however, I’ve found a way around it! I did email them explaining that I took 2 hours trying to find it, and asking if they offered any incentive to report it to them – but I didn’t hear back. I guess I might as well publish it then…
<div <img /> href="#" onmouseover="alert('moo')">w00t</div>
Using that foothold, I’m sure there’s many things you could do….