Very basic web-security malpractice on NewEgg

[lurchstan]

So like, it's not a big deal overall in and of itself; but this kind of incredibly basic security malpractice makes me skeptical of giving anyone my credit card information.  I figure there are other folks out there who may feel the same.  Sorry admins if this is way too off-topic but I figure because of the combination of it being about a gamer-merchant and the general tech topic of web-security makes it a relevant topic for General.  Basically, the XSS prevention method on this form on NewEgg is to just replace any kind of HTML interpretable character with it's hardcoded equivalent on the change event for the textarea

 

I only noticed because I tried to put in an apostrophe and I got back ' .  It appears that on-submission they are actually adding this block to the DOM somewhere and lo and behold a script tag litterally runs on submission.  The proper solution to this UI experience is to take the string from the submitted form and then sanitize it before doing anything with it, if you really needed to display it in the DOM, which they have absolutely no context to do at this point.
 

For those of you who don't know about the risks of XSS attacks, the general risk is: this is a comment upload form that is uploading itself as HTML.  The server itself may sanitize the code out of this comment, (in-fact, that's the only real solution to this type of attack) but the fact that they would make such a rookie mistake on the frontend implies to me that they might think this solution is impenetrable.  If anywhere in any form they allow an unsanitized text-string to make it between users then the attacker could upload something actually sinister like making a service request to get account data for the victim and then send it back to another server.