A03 — XSS Demo SAFE (encoded)

This single page shows Stored XSS (session-based “comments”) and Reflected XSS (echoed query). Toggle modes to compare: SAFE RAW

Stored XSS Reflected XSS

Stored XSS — Session “Comments”

encode with htmlspecialchars

Add a “comment” that’s saved in your PHP session. In SAFE mode we escape HTML so scripts do not run.

  1. Try posting: <script>alert('stored')</script>.
  2. Switch RAW/SAFE to see the difference.
Reset Comments

Comments

No comments yet.

Reflected XSS — Echoed Query

escape on reflect

The input below is reflected back to the page. In SAFE mode we escape it (no XSS).

  1. Try: <img src=x onerror=alert('reflect')>
  2. Or: <svg onload=alert(1)>
Clear

Reflected Output

Nothing reflected yet.