I was wondering if the bellow snipts of code is vulnerable to XSS attack:
var url = $(location).attr('href'); var first_name = url.split("fname=")[1].split("&")[0]; console.log(first_name)
when I send an injection in fname variable I see it's value outed by console.log as a url encoded string, and it does not get interpreted as a script tag format, is there a way to exploit this to XSS attack
Aucun commentaire:
Enregistrer un commentaire