Stored XSS in onclick. Payload obfuscation with HTML encoding.

The - can be replaced by + sign, so both produce the same result acting as delimiters for the server to differentiate between the track function, the alert(1) and the &apos. Is that right ...

many manty thanks to you. Incredible explanation here and below other xss videos. Fascinating content (not exaggeration). It's interesting how things can be explained that cleanly. Thanks agian

you are amazing thanks
keep it up we want more lab solve

"Why is there a popup when I enter the payload, but the lab hasn't resolved it and asked me to check if 'foo' is spelled incorrectly?"