Apex Component error: Element type "input" should be followed by either attribute specifications, ">" or "/>"

Not sure if you have faced this situation, but let's see what we're trying to accomplish.

Scenario Display 2 radio buttons, one unchecked and another one checked based on the value of a variable.

How was developed
For educational purposes I'll just show 1 radio button :) <input type="radio" name="payment_options" {!IF(that.cartBean.payInInstallments == true,'','checked')} > Pay full amount today </input>
Looks simple, however we got the weird error message listed as title of this post.

Solution
After thinking carefully and asking salesforce support, we end up with the same solution
<apex:outputPanel rendered="{!that.cartBean.PayInInstallments == false}"> <input type="radio" name="payment_options" checked="checked" /> Pay full amount today </apex:outputPanel> <apex:outputPanel rendered="{!that.cartBean.PayInInstallments == true}"> <input type="radio" name="payment_options"/> Pay full amount today </apex:outputPanel> In order to display 1 radio button only, we have to write code for 2 radio buttons!

I hope this saves you valuable time.

Modify iframe contents with Javascript

Conventionally, you are not allowed to play around with the contents of an iframe of external url with javascript. But with the use of javascript injections, you can do it very easily.
For example, you want to modify the values of text fields in the web page open in an iframe, but the web page is from an external url. What you would have tried first would have been:
document.frames[0].document.getElementById( “username”).value=”my user name”;
But this does not work when you open the web page in a browser. So what to do? Let’s explore the possibilities of doing this with JavaScript Injections.
We know that we have the full permissions to modify the url of an iframe. So what we do is, document.getElementById(‘externaliframe’).src=”javascript:void( document.getElementById(‘username’).value=’my user name’ );”;
And viola! The username is changed!

Applications:
Possible applications of such injections are:

• Automatic form filling Modifying the contents of iframe with document.getElementById(‘name’).innerHTML =”bla bla…”;
• Automatic login by using document.getElementById( ‘submit button’).click();
• Automatic posting/commenting on sites like facebook, wordpress blogs, etc.
• Or you can go further and insert a full javascript file into the external web page with: var ga = document.createElement(‘script’); ga.type = ‘text/javascript’; ga.async = true; ga.src = ‘your javascript file url’; var s = document.getElementsByTagName( ‘script’)[0]; s.parentNode.insertBefore(ga, s);

Examples: document.getElementById(‘externaliframe’).src=”javascript:void( document.writeln(‘Added html contetnt!’) );”; document.getElementById(‘externaliframe’).src=”javascript:void( document.getElementById(‘form’).submit() );”; Anything else you can imagine of!

Cross-site Scripting (XSS)

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

The normal practice is to HTML-escape any user-controlled data during redisplaying in JSP, not during processing the submitted data in servlet nor during storing in DB. In JSP you can use the JSTL (to install it, just drop jstl-1.2.jar in /WEB-INF/lib) <c:out> tag or fn:escapeXml function for this. E.g.

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> ... <p>Welcome <c:out value="${user.name}" /></p> OR <%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %> ... <input name="username" value="${fn:escapeXml(param.username)}">
This is the classic example: http://127.0.0.1:8088/sitexfer-testing/index.jsp?ERROR_MSG=INVALID_TARGET_DOMAIN&authtype=AUTH_T3%20style=width:expression(alert(1))&appname=DEFAULT_TIER3&TARGET=%24SM%24http%3A%2F%2Fwww.google.com Look carefully to the param authtype, did you see the alert(1)??? If you don't write safe code, you might get an infinite loop in your screen :)

For more details please go to: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)