I have applied filter in code to block the IP Address of user that try to cross-site-scripting attack on my website.
but issue is this here some IP Address come in text format Like below example, what is reason for this?
ggooppvv-X-Forwarded-Forheader'<"testexample.com ,
spoofed.uxvf3ybq3zlnx8qfyoy2tqz9u00tryfn.burpcollaborator.net
I want to know what reason of this is & how x-forwarded-for work
You're assuming that the X-Forwarded-For is an IP because you're usually getting from your reverse proxy that resolves it into an IP.
However, hackers usually use their own proxy tools (eg, burp suite or ZAP) to craft their own requests and inject headers that aren't usually present through normal browsing behaviour.
In your case, the spoofed string comes from an ephemeral Out Of Band server used specificall in Burp to detect pingbacks that could lead to further vulnerability.
Therefore, it's not the actual IP of the hacker.
see https://portswigger.net/burp/documentation/collaborator for more details.
