Challenge
Your input is reflected in a results page without proper output encoding. Use this to execute JavaScript.
What you'll learn
- Why output encoding is essential.
- Safe demonstration of XSS via sandboxed iframe.
Need a Hint?
Try using a
<script> tag or an onerror handler on an image.Reflected Result (sandboxed):
Vulnerable pattern
// Reflected into HTML without encoding
<div><?= $_GET['q'] ?></div>