-4

I wanna make a little input box where a user can submit a code and it happen like i they put

    <script>alert("this is an alert")</script>

then a alert would pop up on the page I need this for education purposes

      <form><input type="text" name="xss"><input type="submit"></form>
    <p>Result: <?= $_GET['xss'] ?></p>

Thats what i have tried but it doesnt work and w3c does not cover how to MAKE an XSS vulnerable input

CoderJoe
  • 23
  • 6
  • Welcome to Stack Overflow! This question is a little short on information. Can you share what you have tried, and what problems you have run into? – Jay Blanchard Apr 22 '15 at 17:50
  • [`eval()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) seems to be what you want. – Blazemonger Apr 22 '15 at 17:50
  • I added more clarity and what i have tried – CoderJoe Apr 22 '15 at 17:55
  • From [this old question](http://stackoverflow.com/questions/1100354/how-can-i-echo-html-in-php) it looks like you want to `` – Rup Apr 22 '15 at 17:59

1 Answers1

0

There are several ways to do this. As one person suggested you could indeed use eval(). Just like the following:

<input type='text' id='vulnBox' value="alert('hello');"/>
<button onclick="eval(document.getElementById('vulnBox').value)">test</button>

Here's the corresponding fiddle example JSFiddle

If your interaction is more client to server then you could use $_GET in php to read your malicious javascript from the url and output into the contents of the page.

So someone would visit the page with a URL like:

yoursite.com?xss=%3Cscript%3Ealert()%3C%2Fscript%3E

and your php file would contain:

<?php echo urldecode($_GET['xss']); ?>

Hope this helps!

Chris B
  • 733
  • 3
  • 10
  • this is sorta what i want the problem is you cant enter the script tags or it does not work – CoderJoe Apr 22 '15 at 18:48
  • I see. So you really want something more client-server based. If you're using $_GET then php will look for the variable xss on the url. so yoursite.com?xss=%3Cscript%3Ealert()%3C%2Fscript%3E. Then in your php code you'll want to use – Chris B Apr 23 '15 at 11:41
  • Ok, thanks! I edited this answer. I hope it helps you figure out how to build the page you want. – Chris B Apr 23 '15 at 16:56