Course

In this lab, you will encounter an XSS vulnerability similar to a previous challenge, but with the added complexity of HTML-encoded special characters. This is a common issue in PHP web applications because the `htmlentities` function does not encode single quotes unless the `ENT_QUOTES` flag is used. Despite this, you can still inject JavaScript code to achieve your goal.

The task requires you to create an alert box with your unique identifier and get the victim to visit your payload. The injection point is already within a script tag, so you need to carefully analyze the HTML and JavaScript to insert your code effectively. The challenge is completed once the alert box is triggered in the victim's browser.