a xss attack is possible in index.php

http://127.0.01/myphp/index.php?lang="<script>alert(1337)</script>