and wide open to the funkiest XSS you can imagine--boy did that ever blow my mind when someone explained me the idea, I had been coding hardcore JS for years but it never clicked that this would allows you to pwn everything. except my mind went more into practical joke settings "hey I can inject JS and make all links on this guestbook EXPLODE if you click them?? aahaha"