Stored XSS into HTML context with nothing encoded


The website in this lab contains a stored cross-site scripting vulnerability in the comment functionality.

Reproduction and proof of concept

  1. Enter the following into the comment box:

<script>alert('Hello World')</script>
  1. Enter a name, email and website.

Stored XSS

  1. Click Post comment.

  2. Go back to the blog.

Stored XSS