XSS Flaw Specifics
The flaw has been fixed, so I’m providing the details:
Here is what the Facebook note looked like when viewing it on a computer:
The next image shows that the note is properly sanitized.
Here is what it looks like on my iPhone during the alert and after the Wikipedia iFrame loads:
As you can see, first the alert pops up, and then the embedded site loads. Both of these events are due to the code I had placed in the note.
I’m left wondering why this only worked from within the iPhone app. I would imagine the note would be sanitized before being stored in the database, rather than sanitized as it is loaded/displayed. Since the fix didn’t include an update of the Facebook for iPhone app, they must have implemented a server-side fix.