--000325558d928faef10471505124
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

> If they broke out of their content area and started manipulating the DOM
> on other parts of the page, this wouldn't even be the end of the world.
> (they'd eventually get caught & banned)
>
> I'm more concerned about malicious things they could do to the end-user,
> e.g. cookie theft.


But if you let them manipulate the dom, how are you going to prevent script
injection?
because, that's all you need to steal cookies. And if the attacker's sly, he
will conceal
the injection, delaying the being caught part until he got enough valid
sessions....

I don't know what mysterious site you're talking about, since I'm not into
social network
stuff, but I'd sure like to know how they manage that problem...

Greetz!

--000325558d928faef10471505124--