WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2024 Poal.co

904

https://www.google.com/ <script>alert("hello");</script> <a href="https://www.yahoo.com">link</a>

https://www.google.com/ <script>alert("hello");</script> <a href="https://www.yahoo.com">link</a>

(post is archived)

You are currently inside a comment thread.
Click here to see all the comments (27).
[–] [deleted] 0 pt

The oldest script test in the world that never works anymore because people figured out how to safely store code in the DB decades ago

[–] 0 pt

that is not really DB stuff, that is Javascript stuff.

DB stuff would be something like

";drop users; --

[–] [deleted] 1 pt

It is DB stuff because anything put into the DB eventually gets taken out and it needs to be translated into safe information before deposit. Yes there is script handing on removal

[–] 0 pt

ok, you are right, that is stored xss

i remember that from a forum i ran as part of my job years ago, we found an xss bug in the php code and fixing it was difficult because it required rewriting all database entries to fix it. so we changed it to encode on the output and that was much easier and did not require any database encoding.

[–] 0 pt

and it is interesting how often that still works in a current website if it is new. i did a test on a portal maybe start of this year when I joined it and it worked to search for a XSS string in the search function and it would write out the title of the resulting web pages with the XSS code and would be vulnerable. i reported to the site admin and he fixed it in 1 day or 2