alert(document.cookie) with 7 characters, using HPP and automatic entity decoding

PoC (IE 8/9): http://tr3w.net/misc/challenges/ch2.php/?w=URL=URL&amp;w=innerHTML=URL#<img src=x onerror=alert(cookie)>

The trick is: hover the <h1> two times instead of one time. First time, w and &amp;w are GET parameters. Then URL is replaced by URL/itself - and IE then decodes the entity &amp;. Remember Stefano's, Yosuke's and Gareth's Twitter XSS? Same effect. As soon as entities in the URL appear, and a URL assignment happens, the browser decodes them. Then, the GET parameter w appears of course twice, having the second one overwrite the first one. Now hovering the headline causes the actual payload to execute - and alert the cookie.

All that is being triggered by URL=URL as content of the onmouseover attribute. Seven chars, mission accomplished.