Tim Marman blogs about iGo’s website being bad. So I went to their site, forced an error by changing a querystring a little and I see that they are passing the error message in the querystring! Bad, programmer! After Scott Guthrie’s presentation the other night on Cross-site scripting attacks, I thought, “I wonder if you could put javascript in the querystring?” Well, the answer is YES! Yikes!

I was going to provide a link to the site with a little “alert” message, but it’s probably better to leave that as an exercise for the reader…