Ededededededed, in your post it states:
Any site running over HTTP where events are added or edited can also be exploited to inject this persistent XSS to take blog users or admin users off site for drive by download, or credential exploit.
Do you know if this is true of a site under SSL using HTTPS as well?
