An example of how such an attack could be conducted, would to be to get the user to copy and paste the code in Fig. 2.1 into their address bar and then for them to press enter to run it.
In Social Networking Environments
If tricked into running malicious code on a social networking site, unknown to the user, such action may put at risk their personal information and that of their contacts. Furthermore the user's account may be used to distribute spam or content that encourages contacts to themselves become victim to the same attack. In this instance, the probability that a contact executes the code would be greater, as it would have appeared to have originated from a trusted source. An example of how a user could be tricked into performing an XSS attack on themselves is shown in Fig. 2.2.
Although most recent Internet browsers allow more than just URL redirection to occur in the address bar (e.g. search), I do not believe that script execution is required from within it. I feel that allowing it is against user's mental models as to what the address bar does and I believe that it is too susceptible to be abused by malicious parties, particularly in the area of social networking.