A colleague and I were checking out the 3D view now built into Firefox. What a nifty way to visualize the page structure! Well, it turns out it also helped us discover a vulnerability in our web app. In particular, a bit of untrusted user input that we forgot to encode before outputting. Read on to find out how.
Care must be taken to encode all untrusted input before displaying it back to the user. Attackers can take advantage of unencoded output to embed malicious tags and run arbitrary scripts on another users' computer. While this is less of a risk when data is not shared among multiple users, one should still carefully encode output.