Cross-Site-Scripting with Morse code
This vulnerability demonstrates that developers of apparently harmless Web applications, that were never intended to be used as serious tools, have to be just as careful as programmers of local applications when it comes to checks of user input. In this case, simply checking the input with the PHP function html-entities() would have converted the output of the script into harmless encoded HTML. For further tips on how to secure your own web applications, see heise Security's background article entitled Server peace - Individual security measures for PHP applications.
- Morse Code Rickroll 0-day… no, seriously, I mean it, Nathan McFeters' blog entry