[txt]

Very cool. Reminds me of a few years back when I was writing apps for facebook..along with there fan pages. They had there own markup language 'fbml' and 'fbjs'. The app was executed in a sandbox inside an iframe, which you could add as a tab on a fan page as well. A few times I broke thru there sandbox, allowing me to run any xss on page load, even on the fan page...it grabbed there token and added friends, invited a random number or friends to a fan page, likes fan pages, then post a status update...all random, nd it would base it on how many friends the user had. Anyway, a big problem was other developers stealing my code thnx to it being JS...So I ended up using every bug in JS like this, to confuse. I made a function that would pull element names/type/src etc, then used that as a alphanumeric definition. So my source had no spelt out names...on top of using JS hacks..then finally obfuscating. I rmbr the last time I did this and released it into the wild..it was patched up by FB in the morning after it sent to a security researcher who posted on his popular site for his audience to reverse engineer, which they did in a few hours...everything but the few lines that was passed to fb's sandbox that returned the broken code which enabled me to run the xss.... Gooooood times...javascript is fun#!