Crazy RSS Contains unsafe script http://crazy.example.com/ en <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Crazy HTML -- Can Your Regex Parse This?</title> </head> <body notRealAttribute="value"onload="executeMe();"foo="bar" > <!-- <script> --> <!-- <script> --> </script> <script > function executeMe() { /* <script> function am_i_javascript() { var str = "Some innocuously commented out stuff"; } < /script> */ alert("Executed"); } </script > <h1>Did The Javascript Execute?</h1> <div notRealAttribute="value "onmouseover=" executeMe(); "foo="bar"> I will execute here, too, if you mouse over me </div> </body> </html>