XSS worm on my InfinityFree site?

Technically it shouldn’t because all it does is set a cookie then check that cookie if it is set.

The cookie’s name is called _test. Besides a GET parameter i is set so ?i=1.

Technically it shouldn’t break because many people have successfully embeded a YouTube video here without problems… If you ever wanted to share your URL people can help you better.

On the other hand if the “first time” you are talking about is before the security has fired then there’s absolutely no way to change that.