If a client-side attacker can inject JavaScript code into database data, it may end up being activated in a user's browser. We will demonstrate a couple of ways of carrying out this sort of attack, and show how the database contents map to what is displayed in the user's browser.