I hate it when some one beats me to a bug report. https://addons.mozilla.org/en-US/firefox/user/5578717/ (this example will only work against firefox). The xss occurs due to no filtering / escaping the display name attribute for a user.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/