> > It is a tutorial about Cross Server Scripting attacks and how to > > prevent them. The "fail" alert is injected to the page via XSS, so the > > page itself is not protected against the thing it explains how to > > protect yourself against. > > um, right. obviously. so much for *my* powers of observation. > > time for another cuppa tea, methinks, or perhaps something a little > stronger More obvious with this one: http://www-1.ibm.com/support/docview.wss?uid=swg21233077&loc=%22%3E%3Cbody%20style='background:url(http:%2F%2Fmathieu-sylvain.net%2Flolcat.gif)'%20x=%22en_US -- Chris Heilmann Book: http://www.beginningjavascript.com Blog: http://www.wait-till-i.com Writing: http://icant.co.uk/