<html> <body> <p><img onLoad.="alert(document.cookie)" src="skins/default/images/roundcube_logo.png" /></p> <p><a href="mailto:xss@somehost.net') && alert(document.cookie) || ignore('">mail me!</a> <a href="http://roundcube.net" target="_self">roundcube.net</a> <a href="http://roundcube.net" \onmouseover="alert('XSS')">roundcube.net (2)</a> </p> <div>Brilliant!</div> <table><tbody><tr><td background="javascript:alert('XSS')">BBBBBB</td></tr></tbody></table> <p> Have a nice Christmas time.<br /> Thomas </p> </body> </html>