As usual the first step is to analyse the application, we have a search functionnality so let's search for random string and then open the developer tools and find where the user input is located in the html
and if we look in the debugger source for javascript files we wil find this
so from this we know that the injection will be in the comment field and also we see the protection mechanism (in the escapeHTML() function)
JavaScript replace() function to encode angle brackets. However, when the first argument is a string, the function only replaces the first occurrence. We exploit this vulnerability by simply including an extra set of angle brackets at the beginning of the comment. These angle brackets will be encoded, but any subsequent angle brackets will be unaffected, enabling us to effectively bypass the filter and inject HTML.
Exploit
and then the alert will pop up once we are back to the blog
