SBD_XSS_Demo/app/index.php

<?php if ( empty(session_id()) ) session_start(); ?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>SBD XSS | Home</title>
</head>
<body>
<?php
if (isset($_GET["name"]))
{
    $name = $_GET["name"];
?>
    <div>Hey <?= htmlspecialchars($name) ?>, how are you doing?</div>
    <div>Enjoy this picture:</div>
    <div><img src="//unsplash.it/256"></div>
    <hr>
<?php
}
?>

    <div>
        Hey, what's your name?
    </div>
    <form action="/" method="GET">
        <input type="text" name="name" placeholder="Enter your name">
        <input type="submit" value="Send">
    </form>

<?php
if (isset($_SESSION["username"])) {
?>
    <div>I know you are logged in as <?= htmlspecialchars($_SESSION["username"]) ?></div>
<?php
}
?>
</body>
</html>