Sure enough, when he drops the URL in his browser, the injected JavaScript is executed and the browser redirects to his malicious site.
