Create an attack that will steal the victim's username and password, even if the victim is diligent about only entering their password when the URL address bar shows http://zoobar/. Links to an external site.

• Your solution is a short HTML document that the grader (TA) will open using the web browser.
• The grader will not be logged in to the zoobar web site before loading your page.
• Upon loading your document, the browser should immediately be redirected to http://zoobar/ Links to an external site., such that the address bar shows nothing else. The grader will now enter a username and password and press the "Log in" button.
• When the "Log in" button is pressed, post the username and password (separated by a comma) using the log script.
• The login form should appear normal to the user and assuming the username and password are correct the login should proceed the same way it always does.
• Hint: The site uses htmlspecialchars() Links to an external site. to sanitize the reflected username, but something is not quite right.

For this attack, you may find that using alert() to test for script injection does not work; Firefox blocks it when it's causing an infinite loop of dialog boxes. Try other ways to probe whether your code is running, such as document.loginform.login_username.value=42.