[neil_s]

Level 4 has a bug. Entering a string in the text box for the timer solves the problem, but putting that string directly as the get parameter in the URL doesn't. Anyone know how to report this?

[xss-game-bot]

What payload are you using on that level? Keep in mind that ";" is often treated as a parameter separator in URLs, similarly to &. If you put it into the mock URL bar it will terminate the value of your parameter (see also http://en.wikipedia.org/wiki/Query_string#Web_forms)

PS. Consider it reported, thanks!

[jdewald]

Escaping the ';' works on that one

[path411]

Also using the ',' operator works.

[mikesena]

Thankyou. I was trying my payload but couldn't get it to work. I'm sure there's a better way to do it.

[alisey]

Do you have a '+' in your string? In URL it's interpreted as a space, use '%2B' instead.