This is a simplified, insecure environment. Do not use this code in production.
Because this is a client-side demo, we use an image tag to trigger the alert immediately:
Type the payload above into the search bar. It will be "reflected" immediately.
Reflected XSS occurs when input is immediately returned by the web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request.
Post a comment with the payload. Refresh the page. The attack persists because it is saved.
Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim creates a request for the stored data.