Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I find marquee extremely useful, for one reason: HTML injection.

I find it helpful to test for HTML injection vulnerabilities because marquee moves, and it's a tag that (almost) nobody intentionally uses, making it easy to identify when an attack works.

I also find it helpful to show non-technical people the effects of HTML injection, because, again, it moves. "This moves and it really shouldn't move" is something people understand better than "this text is bold and it really shouldn't be bold."



When doing HTML sanitization, I always whitelist marquee as an easter egg (and almost nothing else)


I browse Hacker News through a custom aggregator. This post is how I found out it’s susceptible to HTML injection - a (2020) was marqueeing across my screen.


Same here. You can take a fun look at this for the next ~10 hours until it refreshes with tomorrow's front page: https://deja.de.hueve.ar/hn

Also: I built the thing, so maybe I should fix it some time.


This whole comment section must be absolutely hell to look at on that...


Ironically, it's a titles/links only aggregator. My way of browsing social media antisocially.


I've always used the <plaintext> tag - an unclosable element that converts the rest of the document into raw HTML. It's very obvious.

https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/...




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: