Exploiting cross-site scripting in Referer header

The application that echoes the Referer header is vulnerable to cross-site scripting. And it is perfectly exploitable. Here is how:

Suppose we have an application that generates a "Back" link from Referer header (let's call it vulnerable.php):

echo '<a href="';
echo '">Back</a>\n';

We can inject HTML and JavaScript if we can set the Referer header. This can be done if we first get the victim to visit a page created by the attacker. Consider the following page (let's call it exploit.html):

<form   id="xss"

If the victim is tricked into visiting http://attacker.example.com/exploit.html?<script>alert(1);</script> he will end up on the vulnerable page with the Referer header containing XSS attack.

This attack works in Internet Explorer, but does not work in Firefox, because Firefox will URL-encode the naughty characters after the question mark. It may still be possible to exploit this with Firefox, but some trickery with mod_rewrite will be needed to have XSS data in the path, instead of in the query.