A little page I whipped up to teach developers about some simple XSS attack vectors.  Figured I'd share.

It can be a little quarky because of caching.

www.g-rawkz.com/xss.php

That's really handy... and... I was just about to whip something like that up for a demo that i'm giving, but you hit all the points i need. Could i trouble you for your source?

it does the trick! i'll see if i can slip in a nod...

btw, welcome to the forum... very helpful first post!

all hail hypnotoad. <clap>

Thanks for the welcomes.  EH seems like a pretty good forum that somehow I never stumbled upon until now.

Also any suggestions on how this page could be improved are welcomed.  Although XSS is a fairly old problem, in my experience I find it all over the place in the applications put out at my place of business and across web in general.  Even with certain filters protecting against stealing session cookies by stopping harmful tags like script and iframe, I have demonstrated how its possible to deface a webpage overlaying login forms that submit to my controlled server.  Not all XSS can lead to something evil, but there are many creative ways they can be used and I see it as a major problem especially when used as a spear phish attack via email.

'all glory to the hypnotoad'

Take a look at the HTML5 Security Cheatsheet.