. I usually do it element.value="<script>alert('test');</script>".

. 我通常这样做element.value="<script>alert('test');</script>"。

If sounds like you are generating an inline <script>element, in which case the </script>will end the HTML element and cause the script to terminate in the middle of the string.

如果听起来您正在生成一个内联<script>元素，在这种情况下，</script>将结束 HTML 元素并导致脚本在字符串的中间终止。

Escape the /so that it isn't treated as an end tag by the HTML parser:

转义/以便 HTML 解析器不会将其视为结束标记：

element.value = "<script>alert('test');<\/script>"

is you want fix XSS on input element? you can encode string before output to input field

你想在输入元素上修复 XSS 吗？您可以在输出到输入字段之前对字符串进行编码

PHP:

PHP：

$str = htmlentities($str);

C#:

C＃：

str = WebUtility.HtmlEncode(str);

after that output value direct to input field:

在该输出值直接到输入字段之后：

<input type="text" value="<?php echo $str" />

Ok to answer this . I simply converted my <and the >to <and >. What was happening previously is i used to set the text <script>alert('1')</script>but before setting the text in the input text browserconverts <and >as <and the >. So hence converting them again to <and >since browser will understand that as only tags and converts them , than executing the script inside <input type="text" />

好的回答这个。我只是将 my<和 the转换>为<and >。之前发生的事情是我用来设置文本，<script>alert('1')</script>但在输入文本浏览器中设置文本之前，转换<和>as<和>. 因此，因此将它们再次转换为<并且>因为浏览器将理解为仅标记并转换它们，而不是在内部执行脚本<input type="text" />

I want to alert('test'); in an input type text but it should not execute the alert(alert prompt).

我想提醒('测试'); 在输入类型文本中，但不应执行警报（警报提示）。

<input type="text" value="<script>alert('test');</script>" />

Produces:

产生：

You can do this programatically via JavaScript. First obtain a reference to the input element, then set the valueattribute.

您可以通过 JavaScript 以编程方式执行此操作。首先获取对输入元素的引用，然后设置value属性。

var inputElement = document.querySelector("input");
inputElement.value = "<script>alert('test');<\/script>";

JQuery version:

jQuery 版本：

$('yourInputSelectorHere').val("<script>alert('test');<\/script>")