True Reflected XSS via GET

This page reflects request parameters in the same server response. Try a URL like ?name=Alice&html=%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E to see a true reflected XSS example.

The list below is rendered safely, but the html parameter is intentionally inserted as raw HTML on the server.

hello: world

Unsafely Reflected HTML

No html parameter supplied.

This content comes directly from the query string and is not stored anywhere first. That immediate request-to-response flow is what makes it reflected XSS.