XSS demo

How does this vulnerability work?

The search input is inserted directly into the page without any escaping. This means the browser treats user input as HTML instead of plain text.

---

Try entering the following payload:

<img src=x onerror=alert(1)>

---

If the website is vulnerable, the browser will execute the injected JavaScript instead of displaying it, proving a Cross-Site Scripting (XSS) vulnerability.