Last year, the user managed to inject arbitrary javascript into the syntax of red numbers. Can someone explain how this was done, and how can I check if my site is vulnerable?
Blog post about exploit:
http://blog.reddit.com/2009/09/we-had-some-bugs-and-it-hurt-us.html
The patch that fixed it:
https://github.com/reddit/reddit/commit/1f1f0606f5b6bf14a0db55a28cfd03e1e42e3550