Protecting a web site against cross-site scripting attacks can be a daunting challenge. Roughly speaking, you have to ensure that no executable script can be inserted into your pages by your users. But browsers are famously accepting of mis-formed HTML. Figuring out what strings of text might contain executable script requires understanding all of the variety of interpretations browser will bestow on crappy HTML. If you assume a pristine universe of correctly-formed HTML, you are opening yourself up to attacks which exploit oddball edge cases.

RSnake (Robert Hansen) has compiled a list of all sorts of strings which could be interpreted as executable script by various browsers: XSS Cheat Sheet. It’s a fascinating look at the alternative representations for familiar constructs (http scheme names can have tabs in them?), and a sobering demonstration of the ingenuity and technical depth that bad guys can bring to bear on cracking your site.

The ha.ckers blog describes new exploits and vulnerabilities as they are discovered, and can also be a useful source of information.