HTML5 XSS

I did a couple of vectors for PHPIDS recently and I was experimenting with Firefox 3.1 beta and the new HTML5 tags. I found the audio and video tags could be used for XSS, I'm sure there are others too. The vectors are quite cool because they're executed automatically within a <del datetime="2009-03-23T11:10:10+00:00">onload </del> onerror event. (Originally the onload event worked with a invalid video)

Here are the vectors simplfied:-

<pre lang="javascript"> &lt;video src=1 onerror=alert(1)&gt; &lt;audio src=1 onerror=alert(1)&gt; </pre>

Check out the phpids group on sla.ckers if you want to see the wacky versions which bypass the filtering. I use setTimeout and some js tricks to beat it.