I can run javascript scripts directly from your page, like this:

https://secure.hostony.com/pay/index.php?Pr...);%3C/script%3E

obviously, that file displays whatever is given to ProductTemplate_Name in the page.

see i could use

https://secure.hostony.com/pay/index.php?Pr...3E%3C/script%3E

then inside mysite.com/myscript.js, it has



then they could use php commands on your site, too.

would this present a security risk to hostony, or am I way off?