the php code stays on the server but the html files it generates do not. the stylesheets the generated may not. The images on it do not. etc. If you don't have javascript disabled javascript can run on your machine as well. A lot of remote code execution bugs with firefox are linked to font rendering actually. There have been vulnerabilities in the firefox html engine as well, I am not certain but I believe they could be carried out with html only. Actually a little research has made me certain, here is an example of a firefox vulnerability that could be exploited with a specially crafted href http://www.cvedetails.com/cve/CVE-2007-2671/ . It doesn't mention the possibility of remote code execution, only a crash and denial of service, but where there is crashing remote code execution is generally possible. So you are correct that the php code for SR does not run in your memory, but things from SR are indeed present in your computers memory and in some cases on its HD. Firefoxes HTML engine can be exploited with HTML. Here is a link about gpg being remotely exploited during signature verification although it is not the example I was thinking of it is the first thing I found about GPG exploits while searching for it http://forums.gentoo.org/viewtopic-p-6848828.html and here is another example of specially crafted signed / encrypted data being used to pwn people who process it through GPG: http://lwn.net/Articles/212909/