Watch out for the ‹ and the <
In some of my postings, I present you out there with code. Until recently, I used a very nifty client-side code formatting solution to make it look really pretty. Some time ago, this stopped working, because the good people at DotNetJunkies.com upgraded from .Text to CommunityServer. I can see why this is necessary, but it makes my life a lot more complicated in certain ways. The syntax coloring solution uses TEXTAREA tags and client-side script. To prevent Cross-Site-Scripting attacks, CS allows only certain HTML tags in postings and strips all unexpected attributes as well. Exit code.
So, I decided to go the official XHTML way and place my code inside ‹XMP> tags. This works fine, but when I want to show XML code to you, the reader, it was still stripped away, because CS decides that it might be malicious HTML. Again, I see why, but still... what a pain. So my latest trick for showing you code is basically a canonicalisation attack: I change the [first character of an XML tag] in the code for a ‹. It is Unicode 2039 (Alt + 0139) and looks like an angle bracket, but isn't. now when you copy code from my page, it will not work, because it may look like XML, but it isn't. Sorry for that.