diff --git a/xss_feedback/README.md b/xss_feedback/README.md
new file mode 100644
index 0000000..4d886f6
--- /dev/null
+++ b/xss_feedback/README.md
@@ -0,0 +1,35 @@
+#  
+
+## How We Found It
+there is a page to leave a feedback at the bottom of the home page.
+on this page, there is two fields, name and message, in the message we can't input html, the tags get removed, however in the name field , we can put html.
+maybe we can put a script. let's write 
+```
+<script> alert("hello") </script>
+```
+There is a limit on the number of chars in the name field, but it's just a html limit, we can just modify it.
+it accepted the message but it removed the `<script>` and `</script>` of my message and my name is now `alert("hello")`.  
+so it does have some verification but not on everything. Maybe I can put a script on another tag.
+let's try this : 
+```
+<img src="javascript:alert("hello")>
+```
+It didn't work. the word javascript has been removed from the name. 
+let's try without the word javascript : 
+```
+<img src="a" onerror="alert('hello')">
+```
+it worked but we didn't get any flag
+after asking someone, we found out that this page has a problem.
+to get the flag, we have to just enter `script` or just any one of these leters `alertscript`
+
+## Utility of It
+- Allows attackers to inject JavaScript into the page.
+- Can be used to steal cookies, spoof content, or trigger flags in CTFs.
+- Shows how weak or naive filters can be bypassed with creative input
+
+## How Can We Patch It
+- Use proper HTML escaping/sanitization libraries (e.g., DOMPurify) instead of blacklists.
+- Never trust user input — encode everything before rendering.
+- Apply Content Security Policy (CSP) headers to block inline scripts.
+- Avoid inserting user input directly into the DOM without sanitizing it.