This page uses the following CSP:
Content-Security-Policy: default-src 'self'
Server executes the below PHP code:
if (isset($_POST['xss']) && $_POST['xss'] === 'alert(1)') { echo "<p onclick=" . htmlentities($_POST['xss']) . ">click me!</p>"; }
Leading to an obvious XSS
BUT, thanks to CSP, the XSS payload won't run. You'll see a message in your browser console.