To demonstrate XSS attack, I am building a web app which does the following:
1. Works like a forum
2. Takes posts from users via a HTML textarea and store these messages in the mysql db
3. Displays all posts from the users on a thread. The objective is to show an XSS attack such as
Expand|Select|Wrap|Line Numbers
- alert("attack");
I am using a MySql db with Apache and PHP.
On entering the following input into the textarea:
Expand|Select|Wrap|Line Numbers
- <script>alert("attack");</script>
However, on manually adding the above script into the DB, the expected alert box pops up.
Anyone knows what's going on?