I was playing with PHP (As usual) and i was thinking about date() It's a PHP function that displays date in different formats. According to the documentation: 'Unrecognized characters in the format string will be printed as-is.' So what if i try to insert HTML there as well? I tried <?php echo date('<img src=x onerror=alert(\'XSS\')>'); ?> But all characters are accepted in the format so the output was: <59033 32Tue, 04 Mar 2014 15:59:32 +00002014-03-04T15:59:32+00:00=x 20143UTCTue, 04 Mar 2014 15:59:32 +0000Tue, 04 Mar 2014 15:59:32 +00002014Tue, 04 Mar 2014 15:59:32 +0000=pmTuesdayUTCTue, 04 Mar 2014 15:59:32 +000031(&#8216;Xthth&#8217;)> Obviously that's not gonna give us the XSS payload, the page also says: You can prevent a recognized character in the format string from being expanded by escaping it with a preceding backslash. If the character with a backslash is already a special sequence, you may need to also escape the backslash. So i tried to escape the characters i supplied with a backslash. <?php echo date('<\i\m\g \s\r\c=x \o\n\e\r\r\o\r=\a\l\e\r\t(\'X\S\S\')\>'); ?> And viola! i saw the magic message box! So filter the output of date like you would filter and user submitted input. And if you don't think someone would do echo date($_GET['date']); THINK AGAIN! http://phpkurs.se/php/ajax-med-jquery-och-php.html http://forums.phpfreaks.com/topic/199191-strtotime-1-day-with-a-variable/ http://www.neosoftware.com/community/viewtopic.php?p=11206894&sid=b13ae2cbf369c22a67e659507275b2a3#p11206894 http://www.sitepoint.com/forums/showthread.php?280665-pulling-year-from-url-parameter-in-echo-statement&s=c5e4995b2c0adedf41dc0876ae337750&p=2031078&viewfull=1#post2031078 http://www.computercraft.info/forums2/index.php?/topic/4806-luacode-wantedreal-time/page__view__findpost__p__37833 date() is evil, don't trust it.