In this section we can see the mode use by our plugin. With the Strict mode the attacker get an error message. In the Alert mode the plugin tries to sanitize the request to continue normally.

For example, suppose an attacker writes the following string in a forum post field: <IMG SRC=”javascript:alert('xss');”>

In Strict mode, the attacker gets a 400 error page:

In Alert mode, the plugin sanitizes the string and the attacker doesn´t get any message:

In the previous case, the string sanitized is equal to a blank string. If the attacker tries an attack with the “select * from members where username='admin'--'” string, the result in Alert mode is: