According to security expert Tyler Reguly of nCircle, data fields for storing meta-information offer plenty of latitude for future cross-site scripting (XSS) attacks. JavaScript embedded in Whois and DNS records and in SSL certificates, for instance, can, under certain circumstances, be executed in a browser.
There are, for example, web services which carry out online checks on SSL certificates from other servers. As well as cryptographically relevant information, such services also display data on a certificate's owner and who it was issued by.

If a service fails to filter the query data correctly, the user's browser may execute JavaScript contained in the query. Attackers could exploit this to carry out various activities, such as copying login cookies or changing a user's profile settings (for their account for the web service). SSL Shopper is one service provider which was affected by this issue

The link for this article located at H Security is no longer available.