What are some fun (non-nefarious) XSS pranks/tricks?
Sorry if this isn’t the right kind of question for this sub, but one of my friends has badly secured their site, and there’s an easy way to do XSS, so what are some fun, harmless pranks that I could try? I don’t care about logging cookies or anything. The obvious idea is redirecting to [this](https://www.youtube.com/watch?v=dQw4w9WgXcQ), and another one I found is this code which flips the page:
document.body.style[‘transform’] = ‘rotate(180deg)’
What are some other ones?