Why it's a great idea to do a thorough security check BEFORE submitting to sites.

Warning: post contains swears.

This is quite a lighthearted thread aimed to encourage you all to make sure you've blocked off the most obvious security holes in your sites before submitting to anywhere like digg.com using a true story. A few months back a guy wandered into an IRC channel i frequent, and asked us to "try out" a web 2.0 site that he'd written. So I poked around, found that the admin page was unprotected and that the front page would output the data in the database without escaping it. Being quite a harsh critic of most of the hype surrounding the "Web 2.0" phenomena, I threw in a quick javascript redirect to fuckweb2.com (after poking around for a couple of minutes with little javascript snippets for alert boxes including phrases such as "got apes?"). The owner of fuckweb2.com commented in the channel that the site had just recieved more than a thousand visitors in quite a short space of time. It turns out, the site made it onto the front page of digg.com roughly 20-30 minutes before my javascript injection. Oops. I made an apology to the guy, if i'd known that the site was on the front page of Digg, i wouldn't have injected any code, but it demonstrates the need to fully audit your own site's custom code before submitting to big sites just incase you unexpectedly DO make the front page. Here's a wonderful picture composed of screenshots from that day (the "shut the fuck" up page is fuckweb2.com):