Put <a href="javascript: alert('hi')"> in the event description. This renders as a link for all users that when you click it, it displays a popup. That's XSS.
Here's what we get from /get/0:
"events": [
{
"section_color": "#8441A5",
"event_id": 55492,
"event_description": "<a href=\"javascript:alert('hi');\">My project page<\/a>\n\nhttp:\/\/www.cs.princeton.edu\/courses\/archive\/spring14\/cos333\/proj5.html\n\n(He also says we ought to read http:\/\/www.cs.princeton.edu\/courses\/archive\/spring14\/cos333\/proj3b.html, but the former link supercedes the latter.)",
"event_start": "1400014859",
"revision_id": 55499,
"event_location": "Event location",
"modified_user": "maximz",
"section_id": 1067,
"course_id": 297,
"event_group_id": 2760,
"event_type": "EX",
"event_end": "1400018459",
"event_title": "Final Report!",
"modified_time": "1399822260"
}
]
Put
<a href="javascript: alert('hi')">
in the event description. This renders as a link for all users that when you click it, it displays a popup. That's XSS.Here's what we get from /get/0:
We ought to have escaped HTML tags server-side.