It's going to have to be site-specific code to by-pass different implementations however. And it still means that the attacker has to write something to interpret what the hoster is sending and expects back. It would probably be easier just to throw a javascript interpreter into their code.