Chris Morris:

> The attacker is the person who creates the link (or form, if it's a
> POST-based attack instead).
> The victim is the person who gets tricked into clicking on it.
> They don't need to be the same person.

OK. Got it. I was stuck on persistent XSS and lost sight of the simpler
things in life ;-)

Thanks for your, and Joost's, input.

Mike