While it’s definitely easier if the “<” and “>” tags are allowed, one can “convince” the target website to run javascript even if the tags are escaped.
For example we have this search box:
Once we run the search, we notice that the html tags and the text between them was removed.
Now, even though “< script >” was removed, the quotes are still there. That means we can add our own html attributes. As it happens, onmouseover is an HTML attribute that we can add and it will execute our javascript code.
We just need to study a bit how the strings are concatenated. We have something like this:
…names=”keywords” value=”OUR STRING” placeholder=…
Our string needs to close the start quote from value. Then we can add the new onmouseover attribute and the javascript code inside. Once that is done, we need to deal with the end quote from value, so we can just add a random field name that will be empty. In the end, it can look like this:
Once we search using this string (and move the mouse), voila: