Originally Posted by mitchumango
This isn't working for me. I can set $data to a string by using "/xss.php?data=mitch", but I can't execute any scripts. Is it possible that htmlspecialchars() is automatically turned on?
The XSS protections are implemented in some browsers , like Google Chrome etc!
Try it with Mozilla or Internet Explorer!