This site mimics the behavior of a vulnerable web application that performs string formatting via LibProtection library API to generate the arguments for the potentially vulnerable operations based on the input data.

Therefore, don't be evil. The vulnerable operations are actually executed here. In order to give you complete freedom to test the functionality of the library, a set of the possible values of the "format string" field is unrestricted and this field is not protected itself in any way (assumed that its value is hard-coded in the imitated application's code and not derived from the input data). For the same reason, please do not use the automated testing tools (at least with the potentially dangerous checks executing modes on). Use a locally deployed copy of this site for such kind of testing.

Language provider:
Vulnerable operation:
Renders the given HTML markup on the client side.
Format string:
Arguments (one per line):
Format result:
<a href='Default.aspx' onclick='alert("Hello from embedded JavaScript code!");return false'>This site&#39;s home page</a>
Vulnerable operation result:
This site's home page