Even though you did manage to get that far. It doesn't seem that you can actually make it persist or anything like that on his site so it is probably about as useful of an XSS as typing directly into the console on your browser.

Reflected XSS is still a big security problem.

http://www.acunetix.com/blog/articles/non-persistent-xss/

Yea, I wouldn't have posted it here if it was more severe. Just some fun script injection.

Oh wow. Would love to know you did that. :-o

I feel like I’m posting a spoiler here, but... Think what happens if the user’s “e-mail address” happens to start with:

    "/><script>

Just put a script in the username field, sorry if that wasn't clear.

    <script>alert(0)</script>

All the live updating that module does, I figured there might be some code injection.