I don't want to provide any links or details before it is fixed, but Google has another cross-site scripting (XSS) vulnerability. It is more serious than the previous one, because:
- It works with any character encoding. (You can be a victim even if you don't use a vulnerable browser.)
- It exists in multiple domains (www.google.com and mail.google.com).
- It is much easier to exploit. (It was discovered by accident.)