diff --git a/xss-example.js b/xss-example.js
index c39e9a03..eee8ab51 100644
--- a/xss-example.js
+++ b/xss-example.js
@@ -4,4 +4,5 @@ var urlParams = new URLSearchParams(window.location.search);
 var username = urlParams.get('username');
 
 var unsafe_div = window.document.getElementById("vulnerable-div");
-unsafe_div.innerHTML = "Hello to you ";
+// here's an XSS:
+unsafe_div.innerHTML = "Hello to you " + username;