> But how could Bad Guy inject that on the Available SOAP > services page? > AFAIK cross-site scripting is only a problem when you allow > user entry > of fields that are reproduced as-is on HTML pages.
He can give you a link that misuses a trustworthy domain to show his content Karl
