I recently installed a patch at a client site that is supposed to prevent XCSS attacks.
I was able to embed HTML into a web form and have it saved to my customer profile. Is HTML in a form field considered a cross-site script attack? Or is it something more? What tools should I obtain to test the patch to make sure ?