Open tcnichol opened 5 months ago
@lmarini and I looked together on other possible places related to this bug and realize that sometime it's unnecessary for the frontend template to use @Html(). It should just render it as plain text instead of as html tags.
you can change the firstName and lastName to include javascript using the endpoint:
localhost:9002/api/users/662eacbe89108d20fb4cab22/updateName?firstName=bb&lastName=<script>alert('XSS')</script>
I am using an imported function. This gets rid of the javascript being called, but then the name is blank on the profile page. It may not be the right method for this, or I may be using it wrong.