Here is a simple form that I want to try and attack with XSS. I am using Chrome.
<?php
echo $_GET['comment'];
?>
<script>alert('from HTML')</script>
<form method="GET" action="">
Name:
<input type="text" name="name" />
<br/><br/>
Comment:
<input type="text" name="comment" />
<br/><br/>
<input type="submit" value="Submit" />
</form>
So I entered into the comment
text-box the following: <script>alert('hi')</script>
. However, it's not working.
The only alert box that pops up is from HTML
which I have written directly into the code.
When looking at the page source the following is written:
<script>alert('hi')</script>
<script>alert('from HTML')</script>
Why is it not executing the first alert?