This post comes out of a simple cross site scripting error I discovered in an app of mine. Here’s the scenario: