- Google XSS Challenges at https://xss-game.appspot.com
- Help : https://www.google.com/about/appsecurity/learning/xss/index.html
The output will be directly displayed without any escaping.
A simple query with <script>alert("XSS")</script> will do the job.