Blind XSS workflowEMBEDDED

Track payloads that do not run immediately but execute later in admin consoles, notifications, log viewers, or CRMs.

HTML payload check

This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.

Apply the same rendering policy to user, admin, operator, mail, and log surfaces
Do not include secrets in callbacks; record only execution time and surface
Treat stored XSS as a delayed-surface test case

Payload

Payload to copy

Replace with a callback endpoint you own during authorized testing.

The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.

// no logs

Blind XSS may do nothing on the submitter's screen, then run later inside admin tools, notifications, email, or log views.
Use only callback endpoints you control, and avoid sending cookies or tokens. Record execution location and timing instead.
Defense is broader than user-facing sanitization. Operator consoles, error reports, CRMs, and email templates need the same output policy.