RonPK - 1:02 pm on Apr 16, 2009 (gmt 0)

Every professional web builder knows not to display unescaped user input in an HTML page. But over at Twitter they allowed users to enter <script> into their bio AND sent it out unfiltered, unescaped. Jeez.

Then they figured out how to escape < and >, but in sheer panic escape them twice, ending up with messy stuff like &amp;gt; in the HTML source which would be rendered as &gt; to the user.

I'm still seeing that right now, so they either haven't noticed or fixed it yet.

I like Twitter, like it a lot actually. But this worm thing was so easy to prevent.