Open lushanshan1995 opened 1 year ago
源码 function domxss(){ var str = window.location.search; var txss = decodeURIComponent(str.split("text=")[1]); var xss = txss.replace(/+/g,' '); // alert(xss);
document.getElementById("dom").innerHTML = "<a href='"+xss+"'>就让往事都随风,都随风吧</a>"; }
Bug: 当前decodeURIComponent和replace的实现顺序会将“+”和“%2B”都解码为空格
decodeURIComponent("x%2By+z").replace(/+/g, ' ') < "x y z" decodeURIComponent("x%2By+z".replace(/+/g, ' ')) < "x+y z"
decodeURIComponent("x%2By+z").replace(/+/g, ' ') < "x y z"
decodeURIComponent("x%2By+z".replace(/+/g, ' ')) < "x+y z"
导致我用+拼接cookie 拼了两个小时0.0
lushanshan1995
commented
1 year ago
源码 function domxss(){ var str = window.location.search; var txss = decodeURIComponent(str.split("text=")[1]); var xss = txss.replace(/+/g,' '); // alert(xss);
Bug: 当前decodeURIComponent和replace的实现顺序会将“+”和“%2B”都解码为空格