You can roll dice, like for play-by-post games.
You can name each roll and provide notes. Then you can lookup the roll by number and your data is saved in the database. There may be SQL injections here... but I'm simply poking at the XSS part. User input data isn't scrubbed enough on name input and on the landing page, name because a link.
So, if we make the name of the roll :
When you lookup the roll and mouse over the link, it runs our script to display an alert of "1". Here is a saved roll showing it working. http://www.coyotecode.net/roll/lookup.php?rollid=219494
I basically looked at the generated source and figure out what I had to type to alter the HTML/DOM to have my code in there.
I had to change this :
Into this :
The idea was provide a short name, f, in this case, then a quote and then set a new attribute on the link, the mouse over scripting. It inserts a "> at the end of the name, so I leave the final end quote off of "alert(1)". I thought I needed the space between " and onmouseover but it turns out you don't and the browser inserts it for you, thanks Chrome.