The spike of i{Phone, Pod Touch, Pad}, Android, and other mobile devices that do not support Flash has spurred the growth and interest in HTML5, even though the standard is still evolving. The power of HTML5 allows developers to create almost full-fledged web applications, not just structured content. HTML5's new features has increased the attack surface. It has been demonstrated that the HTML5 offline application cache can be abused. In addition, the support for client-side storage will open up the opportunity for SQL injection attack on client machines. There has been chatter regarding the new attack opportunities that the <audio>, <video>, and <canvas> tags will present, considering they require JavaScript and image-related functions such as SVG. This presentation will demonstrate the issues of HTML5 and how they can be abused and mitigated with good-old techniques. This presentation will also delve into the writing malicious web pages with web workers, abusing cross-origin JavaScript requests, how not to do cross-document messaging, and abusing geolocation.