Sometimes when I'm bored I like to trawl low-budget sites for XSS (and if I'm lucky, SQL injection) vulnerability.
I've recently noticed that some sites seem to do something interesting. I enter my payload into an input or wherever will reflect it back when I submit the form and the webpage simply echoes the payload onto the page instead of executing it.
See pic: non-coloured text is the string I have entered.
First I tried with just<script>tags but after that didn't work, I figured I needed to escape the<h2>tags.
Is this the website itself refusing to execute it, or Chrome?
Because there's no reason that shouldn't execute otherwise. It's valid HTML.
You used</h2>twice and didnt declare the start of a decond one you dumb poo poo!
>>59347312
Oops, wrong screenshot.
But same thing with the <h2>.
>>59346747
https://www.youtube.com/watch?v=ciNHn38EyRc
JavaScript inserted through the DOM isn't executed.