I have an infected text that I’m testing with. In display mode, I get

Question

0

Editorial Team

Asked: May 23, 20262026-05-23T01:21:25+00:00 2026-05-23T01:21:25+00:00

I have an infected text that I’m testing with. In display mode, I get

0

I have an infected text that I’m testing with.

In display mode, I get the data from the database and display it on the page, and I get the XSS as expected.

In edit mode, I use the same form I used for initial entry and I populate the value from the database into the input fields (textarea in this case), but I’m not getting the XSS. Is this normal? Are form fields data not susceptible to XSS because the text is being displayed inside the form field? so no need for the XSS protection I use in normal display?

By the way, the specific XSS I’m testing with is this. I got it from the cheat sheet for XSS on hackers, the fisrt one.

';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-23T01:21:26+00:00

Editorial Team

2026-05-23T01:21:26+00:00Added an answer on May 23, 2026 at 1:21 am

No, the form fields are suspectible for XSS, so you need to escape them as well

Template sample:

<input type="text" name="foo" value="{$value}" />

Value sample:

" /><script>alert(123);</script><input attr="

Result:

<input type="text" name="foo" value="" /><script>alert(42);</script><input attr="" />

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have an infected text that I’m testing with. In display mode, I get

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply