Open djschilling opened 1 year ago
I have the following Code:
const userInput = 'https://heise.de" onmouseover="alert(document.cookie)"'; const html = '<a href="' + xss(userInput) + '">link</a>';
the output of html is the following: '<a href="https://heise.de" onmouseover="alert(document.cookie)"">link</a>'
html
'<a href="https://heise.de" onmouseover="alert(document.cookie)"">link</a>'
This leads to an xss Attack. Is this a general problem with this library or am i using it wrong?
I figured it out. Using escapeAttrValue is the correct function for this case.
escapeAttrValue
I have the following Code:
the output of
html
is the following:'<a href="https://heise.de" onmouseover="alert(document.cookie)"">link</a>'
This leads to an xss Attack. Is this a general problem with this library or am i using it wrong?