June 17, 2026
PortSwigger : Reflected XSS into HTML Context with Nothing Encoded
In this lab, the website has a reflected XSS vulnerability in the search function.
Imajinasidanar
1 min read
Lab: Reflected XSS into HTML context with nothing encoded This lab contains a simple reflected cross-site scripting vulnerability in the search functionality. To solve the lab…
The goal is to perform an XSS attack that calls the alert function.
SOLUTION
First, I clicked Access the Lab. After that, I was redirected to a blog website provided by the lab.
On the page, there is a search feature that can be used to search blog posts.
In the search box, I entered this payload:
<script>alert(1)</script><script>alert(1)</script>Then I clicked the Search button.
Why This Payload Works
The payload used is:
<script>alert(1)</script><script>alert(1)</script>The <script> tag is used to run JavaScript code in the browser.
Inside the script tag, there is alert(1), This function shows a pop-up alert box with the value 1.
This payload works because the website reflects the search input back into the page without encoding or filtering it.
Normally, user input should be treated as text. But in this case, the browser reads the input as real HTML and JavaScript code. Because of that, the script runs and the alert pop-up appears.
After submitting the search, a pop-up alert appeared on the page. This means the JavaScript code was successfully executed in the browser.
After the alert appeared, the lab status changed to Solved.
This lab shows how reflected XSS can happen when user input is displayed back on the page without proper encoding.
By entering this payload:
<script>alert(1)</script><script>alert(1)</script>the website executed JavaScript code from the search input.
From this lab, I learned that user input must be encoded before being displayed on a web page. This can prevent the browser from treating user input as executable code.
Thanks for your attention.