It's not a big truck. It's a series of tubes.
Update: It seems that the pressure of the backlash and Firefox' AMO policy has prevailed, and the NoScript extension has been "un-eviled". For now. Trust is a lot harder to regain, however, and I will not be using it again for my part.
So I was sifting through my logs and found a well-executed, actual XSS attack on one of my pages in the Ermarian Network.
As XSS attacks go, it was fairly harmless: The attacker injected an HTML link that was displayed after the form field; the HTML link did not go anywhere. Really a proof of concept, and an (intentional?) heads up that I should secure my site better.
Something that has bothered me for a long time is the widespread belief that HTML is a language used to determine the appearance of content. Because it isn't, and the day I found that out has changed the way I think about the web and write web pages forever.
Half a year ago, I wrote two short guides on how to use PHP to get "clean resource identifiers" for your website. A "clean" address, in this case was considered a sensible, short and memorable name that could be easily printed on paper or dictated, which did not depend on the location of the files and which (importantly) did not have a file extension like .php or .html.