Forgive me in advance for an extremely bad joke, if you can even call it that, but I just can't help it.
Here's how to get an XSS fortune cookie:
1) Ask the mighty Google oracle who might be able to tell you your fortune.
2) Select one of the sponsored links; in this case I chose SpritualExperts.com.
3) Pick a variable. I settled for banid.
4) Ask it if it has a cookie for you.
Voila...an XSS fortune cookie. Sorry. Really, I am.
The webmaster has been advised...play nice.
Screenshot for after they fix the issue.
del.icio.us | digg