Profile: dynamic content

What are the risks of accepting dynamic content (i.e. running javascript) from a profile owner?


Although such content is common on the internet and is likely harmless, there is a possibility that security risks may be involved. For example, a cross-site scripting attack might allow the profile owner to gain unauthorized access to the viewer's account. (See this cross-site scripting article on Wikipedia for details.)

Because of this potential security risk, user-supplied dynamic content is only enabled in profile pages when the viewer has given permission.