When an analyst sends you an alert() box as proof of a security vulnerability, they are showing that they can execute arbitrary javascript code in the browser. What they are really demonstrating is that by sending that URL to someone else, they can get that other person to execute arbitrary...