<?php $string = '<img src="{{ a }}" />'; $payload = '" onload="alert(\'XSS!\');"'; var_dump( str_replace( '{{ a }}', htmlentities($payload, ENT_QUOTES | ENT_HTML5, 'UTF-8'), $string ) ); var_dump( str_replace( '{{ a }}', "/somefile.php?".http_build_query(array('url' => $payload)), $string ) ); var_dump( str_replace( '{{ a }}', urlencode($payload), $string ) );
You have javascript disabled. You will not be able to edit any code.