⚠️ No CSP — this page is unprotected
← All demos · CSP Demo 4 of 4

XSS via User Input

Unescaped user content is reflected back into the page, allowing an attacker to inject and execute arbitrary JavaScript.

🔴 Unprotected ⚪ Protected
XSS executing — injected script is running

Community Comments

Latest comment from the community

🚨 XSS payload executed. The comment below contains injected JavaScript. Without output encoding or CSP, the browser runs it immediately.
attacker just now
Injected payload (what the attacker submitted)
// The <img> onerror fires immediately, no click needed
<img src=x onerror="alert('XSS! Your cookies: ' + document.cookie)">
What's happening

User-supplied content is being written directly into the page without HTML encoding. The attacker submitted an <img> tag whose onerror handler executes the moment the browser tries (and fails) to load the image. Here it pops an alert() to make the attack obvious — in the wild this would silently exfiltrate your session cookies instead.

← Demo 3
1 2 3 4
All demos →