This isn't working for me. I can set $data to a string by using "/xss.php?data=mitch", but I can't execute any scripts. Is it possible that htmlspecialchars() is automatically turned on?