Hello <script> var pos = document.URL.indexOf("name=")+5;
Do not think that everyone enters his real name like Joe or Alice, take a look at this user name:
And if the server filters the parameter name, then xyzname will not be filtered, but the script in the document will use the first occurence:
Notice the number sign (#) here, it is usually used to refer to a part of a document and never sent to the server, so any server-side checks will have no effect, but the local script will use the malicious code nevertheless.
To be continued …