Attribute Injection

<input type=hidden name=foo value=<?php echo $_GET['foo']/>
Tricky Attribute Injection

 <a href="/foo" onclick="location.href='/sq?arg=foo'+alert('xss_check')//'">
Pure Javascript

foo.innerHTML = document.location.href;