I am just trying to exercise on xss and I want the alert box to pop up on echo which should work on echo. I am doing exercises based on concepts and hier I have a wrong usage of htmlspecialchars, which is vulnerable to xss. However this is not really working and I don't get why. here is my code
$name=htmlspecialchars($_GET['myname']);
echo "<HTML><body>";
echo '<form action="">';
echo "name: <input type='text' name='myname' ><br>";
echo "<input type='submit' ></form>";
echo $name; // here I want the xss to execute a popup box
echo "</HTML></body>";
The input script looks like this.
<script>alert();</script>
I have also tried many alternatives. The script is displayed as I typed it and there is not alert box.