XSS and echoing <script> tags

Question

I am learning about XSS. However, most of the things that I see online are more theory and I just wanted to see it in action. So I have a form like below:

<?php 
    $input_xss=$_POST['input_xss'];


?>
<!doctype html>

<html lang="en">
    <head>
        <meta charset="utf-8">

        <title>The HTML5 Herald</title>
        <meta name="description" content="The HTML5 Herald">
        <meta name="author" content="SitePoint">

        <link rel="stylesheet" href="css/styles.css?v=1.0">

    </head>

    <body>
        <form action ="." method="POST">
            <label for ="input_xss">Enter Text Here </label>
            <input type="text" id="input_xss"  name="input_xss" ><br/>
            <?php echo $input_xss;?>
            <input type="submit" value="SUBMIT">
        </form>
    </body>
</html>

I am not intentionally sanitizing the input to see how XSS actually work. So, if I input something like <b> This is bold </b> I see the output to be in bold and thus input to be not escaped. However, if I enter something like:

<script>alert('hi');</script>

I do not see the JavaScript alert window all though I see <script>alert("hi") ; </script> when I see the source code in the browser. Why does the JS alert window not pop up?

Answer 1

Such trivial xss is sometimes prevented by the browser. Chrome is I think a little better at this than others. Your example is easy for the browser, because javascript from a page parameter gets echoed back in the page body so it just won't be run. You should get a console log message about it if I remember correctly.

Note that only a small number of XSS attacks will be prevented by this, only the trivial ones.

You can disable this feature with an X-XSS-Protection: 0 response header, but you should only do so for learning purposes.