Hong has been coming up with some really interesting research, including something he found where you can use HTML entities inside event handlers to jump outside of certain types of encapsulation to use a cross site scripting attack. He even has a demo page set up here. Nasty, but how common is this? Well using event handlers (onmouseover, onload, onunload, etc…) are pretty common, but how many people actually use it, that’s the question. Well it turns out at least one company is - Yahoo.
Hong found that you can use this technique to exploit Yahoo Mail. It does require user interaction (as do many event handlers) but in this case, it’s using the next and previous buttons, which is pretty commonly used by the consumer. So while extremely obscure it could be pretty effective in many cases where users thought they were stuck in encapsulation. Very nice work Hong!