<P> Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user - supplied data included in the resulting page without proper HTML encoding, may lead to markup injection . A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for . If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue . </P> <P> A reflected attack is typically delivered via email or a neutral web site . The bait is an innocent - looking URL, pointing to a trusted site but containing the XSS vector . If the trusted site is vulnerable to the vector, clicking the link can cause the victim's browser to execute the injected script . </P> <P> The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping . A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read . </P> <P> For example, suppose there is a dating website where members scan the profiles of other members to see if they look interesting . For privacy reasons, this site hides everybody's real name and email . These are kept secret on the server . The only time a member's real name and email are in the browser is when the member is signed in, and they can't see anyone else's . </P>

What html tag is often used as part of a cross-site scripting (xss) attack