/reflected · sink: Markup() / |safe
Markup() / |safe
Search box echoes your query into the page without escaping.
Search
The query is rendered as raw HTML. Anything you put in ?q= ends up in the page body verbatim. Try the canonical <script>alert(1)</script>.
View source for this lab → · /meta/reflected