You are to create examples of cross-site scripting vulnerabilities and provide the code and the exploit steps. You need to do one of each of the following:
You can do all three in one application if you would like. Use any language you care to use. Please not that this application doesn't have to do anything useful.
CSRF is kind of a bugger to demo, so all you need to do is explain how your app could be exploited.