The program output returned by the backend is not escaped by the frontend. Instead the output is wrapped in <pre></pre> tags. This exposes the viewer of a submission to a possible HTML/JavaScript injection attack.

Submitted by Vlad Vergu on 24 February 2013 at 18:41

Fixed. Compiler output was using rawoutput instead of regular output.