What is not true with respect to cross-site scripting (XSS) vulnerabilities?

The user cannot do anything to protect himself against reflected XSS on a page that he normally trusts.

A] True; if there is a vulnerability in the JavaScript interpreter or in one of the browser plugins, an XSS attack can lead to client-side code execution. b] True; an attacker can steal the users authentication data from cookies and use it to impersonate the user. c] True; by definition, a reflected XSS vulnerability is triggered by the user actively following a link. d] This is NOT true; there are browser plugins such as NoScript that can prevent running JavaScript from untrusted sites. e] True, the payload may contain a HTTP request that is parametrized to exploit an XSS in another page on the same host. See the Samy MySpace worm for an example.