A CERT Advisory says that all Web browsers, and all Web servers dynamically generating pages based on unvalidated input, can be affected by malicious HTML code, or abused by those posting it.

Tags that can be used for these purposes include: SCRIPT, OBJECT, APPLET, FORM, and EMBED.

You can find the advisory here. It suggests wariness when browsing untrusted links, and also that Web developers work to recode their dynamic sites to validate output - ensuring that undesirable tags (for example, posted to message boards) are blocked.

Security information for servers from the following vendors will be posted at the URLs linked below:

Is anyone aware of how safe existing popular applications (major message boards, etc) are? Personally, it seems to me that this is a problem that many have been aware of for a long time, but maybe attackers are using new methods? The advisory mentions a number of different situations:

and effects:

How do you ensure that your dynamic sites are safe from malicious code?