not grokking cross-site scripting

I wonder if I'm the only one left on the planet who finds it hard to take cross-site scripting attacks seriously. To put it another way, I've just introduced a cross-site scripting hole into every website with user-determined content out there, as follows:

  1. YouDontWantThisML is a new markup language that extends html with new square bracket tags. A YouDontWantThisML compliant browser will thus interpret [p] as <p> and so on. This is a fairly simple modification to most web browsers, so I won't post patches.
  2. As an extra bonus feature, if it sees a [YouDontWantThisML] tag, a YouDontWantThisML compliant browser will pop up a game of asteroids and not let you continue browsing until you've shot the flying saucer. This "captive asteroids" feature is sure to make users demand YouDontWantThisML support in droves. And pong is due to be supported in YouDontWantThisML version 2.0!
  3. Unfortunatly if your web browser is YouDontWantThisML compliant, I've just realized that you're vulnerable to CSS exploits such as this one, which can be inserted on any web site out there with user-defined content (such as whichever one you're reading this on).

    [script]
    blah blah evil code here
    [/script]
    

    Another example might be using eg, viewcvs with an url like this one:

    http://hostname/viewcvs.cgi/[script]alert("BOO"+document.cookie)[/script]
    

Fixing this new set of cross-site scripting holes in nearly every website out there might take a while, but don't look at me, it's not my fault for inventing YouDontWantThisML, and it's certianly not the fault of any browser that added YouDontWantThisML support.