Hi Glenn, there are persistent and non-persistent XSS attacks. http://en.wikipedia.org/wiki/Cross-site_scripting describes an exploit scenario for non-persisting XSS attacks.
Karl > > But giving somebody a fraudulent link is not cross-site > scripting, and > browser certificate checks would catch that anyway. > > Only the service provider has control over the contents of the > https://www.mybank.com/services/BankingService?wsdl page, Bad > Guy has no > opportunities to enter in data that could alter that page, so I don't > see where the XSS concern is.
