Pick a script that appears in the page, encode it into the request using a form parameter that the site ignores, and pass that URL to the victim. The browser would have no knowledge that the form parameter is being ignored, and just see that its contents have been repeated in the page.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds