[_RPM]

When I went to the page, it started playing music. I find that very frustrating and annoying.

[wittrock]

That's the point--who.is won't play music by itself. Its lookup of the DNS records of jaimehawkins.co.uk injected the music into the page.

[_RPM]

Oh I see. This makes sense. This doesn't seem challenging to prevent. A simple replacement of characters on the HTML entity table would have prevented this instead of putting arbitrary text onto standard output.

[finnn]

Correct. The purpose of this post is to demonstrate yet another class of website that does not validate user input.

[0x0]

Yep, missing that is what makes this an "XSS" :)

[justin66]

Yeah... that was actually hugely annoying. A little warning maybe.

[hamburglar]

Here's your warning: if you ever click on an HN link titled "<something> XSS", prepare for something annoying to happen.