Ivan Markovic discovered that SquirrelMail, a webmail application, did not sufficiently sanitise incoming HTML email, allowing an attacker to perform cross site scripting through sending a malicious HTML email.