Bypassing JavaScript input validation

Mandiant has made a purposely vulnerable form that is vulnerable to XSS. The first form is just a simple form that does not validation, the second form validates the input to prevent <script> tags. With script tags not working, it’s still simple to do XSS.

input1

Putting in the script tags shows that it says invalid input.

input2

With the help of the XSS Filter Evasion Cheat Sheet it’s possible to send something else that will generate an alert without the script tags, such as

<.svg/onload=alert('XSS').>              (no periods!)

Inputting that shows the form is still vulnerable, even without script tags.

input3