1

If the website outputs the current url on the page and performs no escaping, then there might be an xss problem. – Erlend Jun 01 '13 at 18:18

as in sloppy coding on the site, that says `'Sorry, could not load '+unescaped-input+'!'` That could insert a script into the page. – NoBugs Jun 02 '13 at 23:43

Exactly. And those kinds of vulns (XSS) are quite common. I've seen several pentesting companies report finding XSS in over 80% of the sites they assess. – Erlend Jun 04 '13 at 12:39

Can you link to a report of the details of those findings please? – NoBugs Jun 04 '13 at 20:28

http://www.veracode.com/reports/index.html for instance. High dependence on language for prevelance. Java is at 57%. ColdFusion at 95%! – Erlend Jun 06 '13 at 19:21