Post cover image
Image 1 : Choosing one of the blog posts from the website.

June 17, 2026

PortSwigger : Stored XSS into HTML Context with Nothing Encoded

In this lab, the website has a stored XSS vulnerability in the comment function.

Imajinasidanar

2 min read

Lab: Stored XSS into HTML context with nothing encoded This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a…

The goal is to submit a comment that calls the alert function when the blog post is viewed.

SOLUTION

First, I accessed the lab and chose one of the available blog posts on the website.

In this case, I selected one blog post by clicking View post.

None

After opening the blog post, I scrolled down to the Leave a comment section.

In the comment field, I entered this XSS payload:

<script>alert(1)</script>

Then, I filled the other fields such as name, email, and website. These fields can be filled with any valid value.

None

After that, I clicked Post Comment.

Why This Payload Works

The payload used is:

<script>alert(1)</script>

The <script> tag is used to run JavaScript code in the browser.

The code inside it is alert(1), This function shows a pop-up alert with the value 1.

This happens because the website does not properly encode or filter the comment input. The browser treats the comment as real HTML and JavaScript code instead of normal text.

After clicking Post Comment, the website showed a confirmation page saying that the comment had been submitted.

At this point, the comment was already stored on the website.

None

To trigger the stored XSS, I clicked Back to blog or went back to the blog post.

When the blog post was viewed again, the stored comment was loaded by the page. Because the comment contained JavaScript code, the browser executed it and showed an alert pop-up.

None

The lab was successfully solved.

None

This lab shows how reflected XSS can happen when user input is displayed back on the page without proper encoding.

By entering this payload:

<script>alert(1)</script>

the website executed JavaScript code from the search input.

From this lab, I learned that user input must be encoded before being displayed on a web page. This can prevent the browser from treating user input as executable code.

Thanks for your attention