HTML Injection/XSS Question
I'm attempting to inject code into a form (scripts, etc.) to test for XSS and others. I've tried dozens of things including the usual <script>alert("XSS);</script>. The only things that have worked are:
- <font color="red">test</font>
- Unicode HTML Encoding (I can replace letters, but characters, such as <, are filtered out.)
They give the expected results -- formatted text. And when I exit the application and log back in, the code is still there, and it still executes. But that's all.
Could a more advanced tester go further, or does it appear that I've taken it as far as it can be taken? If this is it, is it worth reporting?