Challenge
Post a comment that executes JavaScript when viewed. The preview shows safe text; the sandbox shows raw rendering.
Safety
Raw HTML renders only inside a sandboxed iframe with no access to the parent and no network.
Recent Comments (safe preview)
User 416f10 • 2025-11-29 03:24:34
<img src=x onerror=alert(1)>
User ad470c • 2025-11-29 03:24:17
test
User ed0464 • 2025-11-29 03:20:40
<script>alert(1)</script>
Raw Rendering (sandboxed)
Vulnerable pattern
// Stored content rendered as HTML without encoding
echo $row['content'];