XSS attack to bypass htmlspecialchars() function in value attribute

Question

Let\'s say we have this form, and the possible part for a user to inject malicious code is this below

...


        

Answer 1

Somewhat similar to Daniel's answer, but breaking out of the value= by first setting a dummy value, then adding whitespace to put in the script which runs directly by a trick with autofocus, setting the input field blank and then adds a submit function which runs when the form is submitted, leaking the username and password to an url of my choice, creating strings from the string prototype without quotation (because quotations would be sanitized):