This has been demo'd a long time ago already [1], and it seems they haven't done anything yet ? Wtf.<p>[1] <a href="http://www.davidnaylor.co.uk/massive-twitter-cross-site-scripting-vulnerability.html" rel="nofollow">http://www.davidnaylor.co.uk/massive-twitter-cross-site-scri...</a>
<i>"appears to be due to a lack of input validation of the application name field"</i><p>They should just be sure that they _render_ the application name field appropriately. Angle brackets should be escaped, minimally. It's really not so difficult, Ruby does it with three calls to gsub:
<a href="http://rdoc.sourceforge.net/rd/doc/classes/CGI.src/M000003.html" rel="nofollow">http://rdoc.sourceforge.net/rd/doc/classes/CGI.src/M000003.h...</a>
At least this script in particular seems pretty harmless. I glossed over the "rainbow links" code, so maybe there was something vicious in there.<p>Either way, XSS sucks. Surprised that they haven't plugged this one yet.
Twitter is probably still using Rails 2.3, where you have to explicitly tell the framework to html escape every time you're outputting a string.<p>Rails 3 changes this by always html escaping strings.
This seems a good time to mention interpolique: <a href="http://recursion.com/interpolique.html" rel="nofollow">http://recursion.com/interpolique.html</a><p>I'm curious what people here think of that idea, ie, preventing string injection attacks at the language level.
Twitter sure does have issues with stuff like this. I noticed a while back that they were double encoding some strings on output, too - I had an ampersand in my location and it was showing as &amp; on the page.
None of the code looks malicious, but I would suggest that if you have a Twitter account and/or are logged into it, don't visit the page because he might be stealing cookies.