> > But, again, Karl, I can't see the relevance to the system > generated SOAP > services page, because there is no facility for the user, > persistent or > non-persistent, to alter the text on that page.
Hm .. you may be right - I now tried the link given by sami, but nothing happened. I just wanted to answer on your initial question, that XSS is not only about storing malicious data in a form, that will be shown later, but also about non persisting things, that are only shown to the victim clicking a manipulated link. So I think we misunderstood each other - my answer was unrelated to the SOAP service page :) Regards Karl
