Browser-based anti-XSS measures involve comparing input to output. If inputs contain scripting and are used as part of a script in the resulting response, the script is not executed. If you can break the comparison, you can defeat the anti-XSS measures.
Your objective is to use XML injection to perform cross-site scripting which bypasses browser anti-XSS measures.
(Note: Firefox [without NoScript], Safari, and old versions of IE do not have anti-XSS protections. Try using a browser which has anti-XSS measures, like Chrome.)
PARAMETERS:
Injection Type - CDATA-wrapped value
Sanitization - None
Output - All results, verbose errors, xml shown