><object id="test" > data="#" > width="100%" height="100%" > type="text/x-scriptlet" > VIEWASTEXT></object> What I think is happening is that IE takes the URL '#' on it's own to mean current document. (You can ahieve the same affect by specifying data="document.html" where document.html is the name of the html file running the code.) When the data in the file '#' is embedded into the document and executed it too contains the same object tag which embeds the document again and again. Eventually it runs out of stack space. I doubt this is exploitable on it's own except as a DoS. - Blazde
