Comment Re:Sigh. (Score 1) 289
This is not different than a money transfer, where people can enter a custom message. You get data into your system from an untrusted source and you have to be smart enough to sanitize it.
In fact, I once checked if it was possible to inject javascript in a web banking application using a money transfer (while being paid to do so).