Meta Stack Overflow<marquee>XSS hole in activity page</marquee> - question titles are not HTML/XML-escaped
[+13] [0] Chichiray
[2010-12-29 18:49:22]
[ bug status-completed recent-activity profile-page ]

On the 2nd page of my activity history [1] there's a XSS hole. The question title of appears unescaped in the activity.

alt text

(it's by the way not specifically the 2nd page, it appears on every page, see e.g. the OP in question [2])

(7) It's a bit of a waste not titling this <marquee>XSS hole in activity page</marquee> - Michael Mrozek
(1) @Michael: Yes, it also manifests on meta :) - Chichiray
Haha, funny. What about <blink>? - jjnguy
@MichaelMrozek Deviously brilliant - Tim Stone
(1) @BalusC Excellent - Michael Mrozek
Oh my goodness. How long has the activity page been tabbed and paginated? I've waited so long for that. - mmyers
@Michael Myers Yesterday - waiwai933
Yes, I discovered that today and guess what happened when I jumped to the 2nd page... - Chichiray
(1) @Geoff This still happens if you view /inbox directly (I don't think doing that is actually supported, so it probably doesn't matter) - Michael Mrozek