Some sites offer spell checking as a feature of their search functionality or translation application. While this might be a good idea from an user perspective, it can also be a bad idea for one who is trying to avoid XSS in his/her code.
For example, this page can be XSSed in several different ways but there’s one particularly elegant and applicable to other similar scenarios as well.
Here is its source code. Notice there’s a basic filtering, after developer got a “bug report”. 🙂
Play with it and see how it behaves. It will be funny to see how your attempts will get messed so share with your friends and followers!
Didn’t find a solution or just want to see a XSS tool finding it? Check KNOXSS – XSS Discovery Service. For Pro users there’s a native payload for it but if you don’t have a plan yet there’s an easter egg (!) in demo so anyone can see it. Just register for free and feed it with the GET based URL: http://brutelogic.com.br/spell/?q=1
It works even in Google Chrome but Firefox is suggested. Although Standard version can’t find this one, users of this plan can also access KNOXSS demo interface (logged in) to see it in action.