๐Ÿ›ก๏ธ CSP is active โ€” violations are blocked and reported
โ† All demos ยท CSP Demo 4 of 4

XSS via User Input

Unescaped user content is reflected back into the page, allowing an attacker to inject and execute arbitrary JavaScript.

โšช Unprotected ๐ŸŸข Protected
Protected โ€” CSP blocked the inline script from executing

Community Comments

Latest comment from the community

โœ… XSS blocked. Even though the payload is on the page, CSP's script-src 'self' prevented any inline event handler or injected script from executing. The violation was reported to Report URI.
attacker just now
CSP header sent with this page
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; form-action 'self'; report-uri https://helios.report-uri.com/r/t/csp/enforce; report-to default
What CSP did

CSP doesn't fix the underlying XSS bug โ€” the page still outputs unescaped HTML. But script-src 'self' blocks all inline event handlers and inline <script> tags. The attacker's payload lands on the page but cannot execute, buying time for the bug to be fixed and generating a violation report to alert you.

โ† Demo 3
1 2 3 4
All demos โ†’
๐Ÿ›ก๏ธ CSP blocked 0 attempt(s)