I wanting to show you guys a little bit of code I inserted into an online job application I filled out this morning:
<style="font-size:0px" Hey, if you see this text, you should know that I'm a pretty special candidate. Can you make sure you let the hiring manager know? Anyway, shoot me an email if you see this, ok?>
I was surprised that I could edit the source code of the system's paste-in resume block-- but when I reloaded the page, the text was still in there. I'm hopeful that someone will at least see it and get a good chuckle.
Or, and more importantly, I also hope it will make the site's administrator aware of the potential security concern this creates. A few choice SQL commands dropped into this form would really mess up his day. And probably a lot of other people's. I did't do that because I'm not a jerk. But trust me, there are a lot of jerks out there.
I'll let update this post if I get an email from anyone about this. But I know I won't. Trust me, I've been on corporate teams that built this kind of garbage, and even if (and that's usually a pretty big if) someone on the team was well aware of the potential security risk, the rest of the team either downplayed it, didn't believe it, or blew it off.