Web Security Horror Stories: The Director's Cut. Slides from the talk on web application security I gave this morning at <head>, the worldwide online conference. I just about managed to resist the temptation to present in my boxers. Topics include XSS, CSRF, Login CSRF and Clickjacking.
Sign in with 
OpenID
I forgot to ask in the Q&A...
Services like tinyurl.com should implement some sort of filter (just like the one you mentioned from IE8, checking querystring against page content) to avoid reflected attacks, no?
(I didn't catch the first slides, so maybe you mentioned that. if so, sorry)