Let us know this'd be very helpful! tom@genius.com

BTW would really love to link to a particular annotation.

I noticed it when http://genius.com/5104616 was broken where John included the <div> tag.

Emailed.

>Anyone else already find the XSS in genius.it?

This is a sandboxed domain, like googleusercontent, so not a bug. XSS on genius.com would be a vulnerability.

How is including arbitrary html not as dangerous, when arbitrary html also means <script> tags?

I'm not sure what exactly he's referring to, but annotations allow you to use markdown and some (limited, heavily sanatized and whitelisted) html, so that could be what he was talking about.

heavily sanitized and whitelisted html isn't really arbitrary, is it?

To clarify, it appears that both genius.it and genius.com use Markdown which allows HTML. Their code sanitizes it, so that you can't include attributes of tags, and you can't include certain tags such as <script>, <style>, <link>, or <meta>. I spent about 10 minutes on it and could not break it. That isn't to say it cannot be broken, just that it's not wide open and obvious attacks are mitigated.

I was able to XSS myself: when I added certain types of malicious code it did execute, but if I reload the page the malicious part is not rendered. In other words, it's filtered on the output, not input, and the rendering is different for content fetched from the server vs content you just created. You can execute code in your own browser, but not for anyone else (as far as I was able to).

Their team is very responsive and took my concerns over this seriously.