weathon
commented
4 years ago I wrote a function and I think it can fix the issue
xssdangerous = ['&','/', '<', '>', "'", '"', "$","`"]
function axss(astring)
{
for (var i = 0; i < xssdangerous.length; i++) {//forget the g
var regex = new RegExp(xssdangerous[i], "g");
astring=astring.replace(regex,"&#"+xssdangerous[i].charCodeAt(0)+";")
}
return astring;
}Put it into server
If I set my name as
<script>alert()</script>, it will pop up a alert. Which is a XSS issue