XSS payloads injection

on one website while i was performing stored xss injection in the input box, I have observed that it is not accepting somthing as or any other tags directly, but accepting the URL encoding version of it, but it is not giving any pop up when ive written simple script of pop up

does that mean it is not vulnerable to stored xss?

I don’t play with XSS but still as far as ik if it’s not giving you your desired output then the website is not vulnerable from XSS.

As you describe it,it seems that it filters the encoded text and it decodes it and sees that there is a script inside encoded text.
So if you want to find xss vuln (if there is), then you should try some xss filter bypasses and url encode them :wink:

okay, thanks for the help