igor0
9
Well, don’t take my word for it, I’m just guessing here… but I can imagine a tiny javascript appended to such a page - which would extract the exploit text from the page and copy it into the real HTML, i.e. activate it. That way, including the exploit code “as a text” would be a nice way of fooling the AV scanner (if the AV scanner ignored the text fields on purpose).
So, I am not sure if we’d really want to perform that kind of deep analysis…