This is a short summary about a goofy XSS/CSRF exploit on an internal web page at Mozilla. A few weeks ago I discovered that our "phonebook" supports a limited wiki-syntax in the profile descriptions (i.e. [link text http://example.com]). Despite proper sanitizing to forbid all markup injections …
