While investigating this issue further, I found that the Request_Name_Display parameter in the same affected script has an XSS issue (probably reflected instead of stored). I didn't look any further. Specifically: Request_Name_Display=LSS<script>alert(document.cookie)</script>FAX generates a pretty big-lookin cookie. - Steve