Interactive Example Cross-Site Scripting


The panel on the right shows a simple form for a user profile on a website. You can enter your name and a bio. However these inputs are not verified at all. Have a go at trying different inputs to see what you can make happen to the page. If the data was being stored in a database, others going to your profile might see this as well!

Fortunately, modern browsers are very clever and protect end users of some cross-site scritping. Unfortunately however, this means the demo doesn't work in Safari, and may not work in Webkit browsers. This is not an excuse for not escaping your inputs though!