// Challenge 02 / 05
Speak
Your Mind
This platform allows users to leave public comments on a shared board. The developer was in a rush and skipped input sanitization — whatever you type gets rendered directly into the page as HTML. Some vectors are blocked, but not all of them.
Objective: Inject a payload that executes JavaScript
in the browser. When you succeed, the flag will reveal itself. Not every
XSS vector will work here — find the one that slips through.
Would love to add my website link! - George
Mickey Mouse is my favorite character! - Alice
After opening notifications, my older uncle suddenly explained our vacation ended early. - Bob