Cross-site scripting (XSS) vulnerability in ajax-spell before 1.8 allows remote attackers to inject arbitrary web script or HTML via onmouseover or other events in HTML tags.
http://www.securityfocus.com/bid/13986
http://www.broken-notebook.com/spell_checker/index.php
http://sourceforge.net/project/shownotes.php?release_id=335556