XSS via the DOM

Go to this webpage with a parameter 'name' in the URL, e.g. http://www.cs.ru.nl/~erikpoll/websec/demo/xss_via_DOM.html?name=Jan.

The fragment of HTML below uses JavaScript in combination with the DOM to retrieve the name parameter from the URL to include include it in the content of the page.

Hello ! Welcome to this webpage.

You can try to inject HTML mark-up tags, or even scripts, in the name parameter, but most browsers nowadays encode this.