An actual XSS on google.com by Masato Kinugawa. It abuses a parser differential between a JavaScript enabled and disabled context.