Uses an embedded style element within the channel link to execute arbitrary JavaScript *on* the Bloglines subscription confirmation page (i.e. before you've actually subscribed). Bloglines safe-encodes both single and double quote marks, and strips all whitespace, but you get around this by using String.fromCharCode to construct the JavaScript code and eval to execute it. Only affects Bloglines users running IE/Win, since IE is the only browser on Earth stupid enough to execute JavaScript code within CSS rules. en http://<style>body{any:expression(alert(String.fromCharCode(73,32,99,97,110,32,115,116,105,108,108,32,98,101,32,101,118,105,108,46)))}<style>