I just don't get one thing: emails in sign in forms always allows a user to input underline, wouldn't that be a vulnerability? How does one know is the payload works? I don't get it.
Hi. Thanks for your comment. The underline is by itself not a malicious character. In general, popping an alert is usually one way to show that a site is vulnerable to XSS. But you can also probe for XSS by injecting HTML elements like canary123 and then check for underlined text. If you find something like this you can go on to try to pop an alert or execute other javascript. In the end, it is all about showing (or indicating) impact.