The text entered in the fields below will be POSTed to a JSP page that displays all values directly in the web page without any escaping or validation.

However, the web site is configured to use the Parameter Validation Filter, so the resulting page will not contain XSS code.

OWASP has some common XSS filter evasion tests that can be used.

The source code for this web app can be found here.

If you find a way to embed an XSS into the DisplayPost.jsp page, please add a comment to this article.

This field accepts free text. You can post in HTML here.

This field accepts plain text (i.e. no HTML or encoded text).

This is another field just to make sure we are validating all parameters with the chains.

This field only accepts a number. This is a test of the regex matching.

If you have entered any invalid text, pressing the submit button will result in a HTTP 400 response code.

Otherwise you should see the text you entered display on the next page.