script tag injection
Check whether a raw script tag executes when user input is parsed as an HTML document.
HTML payload check
This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.
- Verify whether input is escaped as text or parsed as a real script tag
- Verify whether your HTML filter removes script tags and dangerous attributes
- Verify whether CSP script-src blocks inline script execution
Payload
Payload to copy
The baseline payload for checking raw reflection into an HTML document.
Preview
The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.
Log
// no logs
Explanation
- If the server reflects user input directly into the HTML document,
<script>tags get parsed and executed. innerHTML-inserted script tags do not execute in modern browsers, which is why this preview uses an isolated full-document render to reproduce the parse.- Defense is a combination of context-aware output encoding, a trusted HTML filter, and CSP
script-src.