Server executes the below PHP code:
if (isset($_POST['xss']) && $_POST['xss'] === 'alert(1)') {
echo "<p onclick=" . htmlentities($_POST['xss']) . ">click me!</p>";
}
Leading to an obvious XSS
Now, click the below link to try the same, but this time, with a Content-Security-Policy
Retry with CSP