The following PHP code is vulnerable to XSS attack via the 'name' parameter.
An attacker could send a request such as the following:
Any server-side code can make this mistake (not just PHP), but it is especially easy (and common) in PHP, since PHP code is responsible for everything delivered to the client.
Here's a working example:
Chrome will prevent this attack, but other browsers won't.
A malicious cross-site script can steal any information on the page, in the DOM, or in the site's cookies. For example, if your username and password are stored in the browser as a cookie, a malicious script could read them and send them to a third-party malicious server. This is quite easy; an <img> tag will do nicely:
The cross-site script would not be able to make an AJAX request directly to badsite.com, but the Same-Origin Policy does not apply to <img> tags (or anything else).
The "opposite" of an XSS attack is an XSRF attack. XSRF actually takes XSS one step further, and causes unauthorized actions on the server because of a compromised client. If your site is vulnerable to XSS, then it is easily exploited via XSRF, because a cross-site script could cause your browser to make unauthorized requests to a server. For example, if your bank's website was attacked, scripts in your browser might cause your money to be transfered somewhere else!
Since the <img> tag might be embedded in HTML from bank.example.com, any of the site's cookies present in your browser will be sent along with the request for the image. Even tho it is just a request for a harmless image, your password, username, session key, etc might be sent along with the request (since browsers send cookies with every request to the associated server). At the server end, there is nothing to indicate that only an image is being requested, and the server might perform an action (withdraw money!). No authorization from you is necessary, because your session information is included with the request (assuming you are logged in).
Sites that let you post images, including forums, eBay, myspace, etc are very susceptible to this attack.