If you open the NON-GET dialog and press submit, you get a URL of the form: http://haltalk.herokuapp.com/explorer/browser.html#NON-GET:/
If you modify the URL to include javascript for example, it turns out that the contents are displayed in the users' browser. Theoretically, this makes it possible to perform various actions, including stealing cookies etc.
An example to see the problem described above is going to this link on the demo-app of the HAL-browser:
http://haltalk.herokuapp.com/explorer/browser.html#NON-GET:/">'<script>alert("hi")</script>
If you open the NON-GET dialog and press submit, you get a URL of the form:
http://haltalk.herokuapp.com/explorer/browser.html#NON-GET:/
If you modify the URL to include javascript for example, it turns out that the contents are displayed in the users' browser. Theoretically, this makes it possible to perform various actions, including stealing cookies etc.
An example to see the problem described above is going to this link on the demo-app of the HAL-browser:
http://haltalk.herokuapp.com/explorer/browser.html#NON-GET:/">'<script>alert("hi")</script>