9Eki
Bypassing HTML Encoding for XSS in Search Input
I'm a beginner bug hunter and I'm currently looking for XSS vulnerabilities in a search input where the search result is displayed on the page like this:
Search Result -
<script>alert(1)</script>
The application allows the use of certain special characters like #, $, %, -, /, and \, but it blocks and encodes < and >. For example, when I try the payload <script>alert(1)</script>, the < and > symbols are HTML-encoded.
Is there any way to bypass this encoding and trigger the XSS?
