mediumReflected XSSPro
Chorus
An indie-music site personalises your greeting with a little inline JavaScript. The escape function caught the HTML. Not the JS.
The Scenario
Chorus is an indie music review site. The dev added a personal "Hi, <name>!" greeting using an inline script that calls htmlspecialchars — but without ENT_QUOTES. Angles are escaped. Quotes aren't. Guess which one matters inside a JavaScript string literal.
Challenge Intel
Synopsis
Reflection lands inside a JS string literal. Escape the string, not the DOM.
What It Is
A PHP greeting page that injects the visitor's name into an inline <script> block after only-angle escaping.
Who It's For
Students who know XSS has multiple contexts and want the JS-string variant.
Skills You'll Practice
- JS string escape + statement injection
- Recognising ENT_NOQUOTES as insufficient inside a script tag
What You'll Gain
- Familiarity with JS-context XSS
- A concrete example of why context-aware escaping matters