9Eki
Bypassing HTML Encoding for XSS in Search Input
I'm a beginner bug hunter and I'm currently looking for XSS vulnerabilities in a search input where the search result is displayed on the page like this:
Search Result -
<script>alert(1)</script>
The application allows the use of certain special characters like #
, $
, %
, -
, /
, and \
, but it blocks and encodes <
and >
. For example, when I try the payload <script>alert(1)</script>
, the <
and >
symbols are HTML-encoded.
Is there any way to bypass this encoding and trigger the XSS?