Personally I stay away from bookmarking sites like the plague, but I do know that if you get a 10 people digging you that means you get about 5x the amount of traffic to your site. For the blackhat SEO crowd this could be interesting because getting 100 people to digg you will make a lot of other people follow your link, just out of curiosity (and assuming the topic sounds interesting enough).
Of course to get around requiring a user to mouse over the search box you could do something tricky like put it in an iframe and move the iframe to wherever the mouse is on the page it is being called from to execute it, but who’s counting (thanks to Jeremiah Grossman for that particular idea).
But this is a perfect example of why stripping out open and close angle brackets does NOT prevent Cross Site Scripting - a very common mis-nomer. It closes down HTML injection, but parameter injection, DOM based attacks and things like UTF-7. All of which are still wide open. Nice find, Clear River!
Meanwhile Dcrab found a few vulnerabilities in MSN and Amazon. He has not released the exploits, so it’s hard to comment on them, but it’s no surprise.