I know, this is really lame issue. But it's been almost 2 years since CERT alerted to cross-site scripting and gave recommendations on how to prevent such attacks. Yet, major web sites still overlook the possibility that a client may send malicious data intended to be used only by itself. Yahoo, MSN, AOL, Lycos, and Excite suffer from such attack. For example, accessing the URLs below will cause the JavaScript code to be executed in the browser server's domain: http://groups.yahoo.com/group/