Some cross-site scripting fun from our friends in the intelligence gathering biz...

Look Ma, I'm on CIA.gov - Threat Level, Wired Blogs

In an age where JavaScript is so ubiquitous that some websites won't even load if you don't enable in your browser, cross-site scripting hacks are everywhere - letting malicious or merely mischievous hacker create links that have some very unintended consequences on websites that are not careful to keep from executing other people's code.

Most are run-of-the-mill and hardly worth writing about, but reader HS writes in with a vulnerability on the CIA's site that THREAT LEVEL can't resist.
Be sure to override your browser's XSS protection to view the example.