XSS Practice Lab

Your own local sandbox for experimenting with reflected XSS — only on your machine.

Input & Reflection

Enter something below and hit “Submit” to see how the page handles your input (intentionally unsafely).

Awaiting input...

What We Did & Why It’s Vulnerable

This page reflects your input directly into the HTML using innerHTML, which means any HTML or JavaScript you type will be interpreted — exactly how many real-world XSS vulnerabilities work.

Key Code

function reflectInput() {
  const val = document.getElementById("inputBox").value;
  document.getElementById("output").innerHTML = "You entered: " + val;
}

Try These (Locally Only)

<h2>Hi there!</h2>
<img src=x onerror="alert('XSS!')">
<script>alert('XSS test')</script>

How Real Sites Should Protect Against This

Escape or sanitize user input before output
Avoid using innerHTML when possible
Use safer DOM APIs like textContent
Apply security policies (e.g. Content Security Policy)