onmouseover="showToolTip('Click for a larger version of this picture of Joe Smith')" />
"... and the img tag becomes".
onmouseover="showToolTip('Click for a larger version of this picture of Joe');alert('XSS')" />
"What do you think will happen here?"
I was looking at the code. The attack vector looked escaped to me. This is clearly data within an HTML attribute... and we should thus escape for characters causing is problems in HTML attributes. However David of course had an intention showing me this.
I was about to give up, when it dawned on me. This was of course similar to the previous one.
"That's exactly right", David said. "Good, let's move on."