Bypass HTML Encoding/Escaping for XSS

Question

When you publish a map in a game called "Fortnite" it asks for a name, a description, and an optional Youtube video. What I'm trying to do is set the "description" to a script tag. Inspect the description on the site here and edit as html to see the encoding that happens, The description that you input is set to that island-header-tagline h3 tag

And I'm trying to run a <script> tag on an <h3> tag. However it seems that when I try to inject the script tag into the h3 tag it html encodes it (< to < and > to >). So it doesn't actually recognize it as an html tag and doesn't run the script. Does anyone know how this would be achieved? Thank you.

Edit: Here is what I'm trying to achieve: Say this is the where the input goes: <h3>USER INPUT</h3>. I'm trying to do something like this <h3></h3><script>alert('test');</script> However < and > are escaped to < and >

P.S.: I'm learning XSS (For non-malicious purposes)

Answer 1

What happens is that Fortnite asks for "title", and you provide title in the form of HTML code, such as:

 <script>alert('test');</script>

Then Fortnite web-server accepts that text, and, for security reasons, cleans it up. This is done to protect end users from people who would try to insert code like

 <script>StealAllTheMoney();</script>

This is also called "sanitization" of user inputs. We do that in order to protect end-users and our web-server. Unless there is a vulnerability on the Fortnite's side, there is nothing you can do to bypass that sanitization as it escapes some characters that can be part of malicious inputs. In your case it is at least ">".