On 6/15/07, Joel D Canfield <joel at streamliine.com> wrote: > > http://www-1.ibm.com/support/docview.wss?uid=swg21233077&loc=% > > 22%3E%3Cbody%20onload=alert('FAIL')%20x=%22en_US > > I'm missing the point - if the page is told to alert 'FAIL' and it does, > how is that ironic? It is a tutorial about Cross Server Scripting attacks and how to prevent them. The "fail" alert is injected to the page via XSS, so the page itself is not protected against the thing it explains how to protect yourself against. -- Chris Heilmann Book: http://www.beginningjavascript.com Blog: http://www.wait-till-i.com Writing: http://icant.co.uk/