Open lkrids opened 11 years ago
https://github.com/LukeAskew/Front-End-Standards/blob/master/JavaScript/Security.md -- the hash is just a string, it never gets evaled or inserted in dom. Does that allow xss?
You are correct.
I pulled this snippet from an issue we had on an HP site. There was some additional AJAX things happening as well. I will work to complete the example.
https://github.com/LukeAskew/Front-End-Standards/blob/master/JavaScript/Security.md -- the hash is just a string, it never gets evaled or inserted in dom. Does that allow xss?