Remember, kids: don't use unchecked parameters in URLs, especially not on 
high-profile websites.

Enter a message below to see that message shown on the Bank of Scotland / Halifax 
<a href="http://www.bankofscotlandhalifax-online.co.uk/">online banking site</a> 
as an error message and as the page title.

    <input type="hidden" name="Msg" value="CriticalMCNoReset.html" />
    <input type="text" name="Message" value="Welcome to Macintosh!" size="35" />
    <input type="submit" value="Go" />

This trick probably doesn't pose any kind of security risk to the online banking 
site, but it's at least quite embarrassing for the Bank of Scotland / Halifax, 
since others can inject arbitrary text into their pages (at least from a visitor's 
perspective).