self xss – XSS Triggers only when pasted in

I have a XSS case that I would like to exploit as a proof of concept, however the payload seems to only be triggering when pasted in and not from the URL.

Basically, I have a search box which when pasting in the following XSS payloads triggers an alert.

<img src=x onerror=alert(1)>
<noscript><p title="</noscript><img src=x onerror=alert(1)>">

However, when clicking the search button and sending the GET request to /search?query=<payload> the payload doesn’t seem to be triggering.

Does anyone have any idea why or how I could get it to reflect from the URL? It seems quite weird that it only works immediately when pasted in but not after submitted.


The following snippet is from the search results page source. The search term – aka payload in this scenario – is displayed as normal without any sanitizing but it is not executed.