I have a page with a single input field, when i enter string and submit it on the next page there are two "echos" of it
<img id="loading" src="/static/img/loading.gif" style="width: 50%" onload="startTimer(' MY INPUT IS HERE ');" />
and
<div id="message">Your timer will execute in {MY INPUT IS HERE} seconds.</div>
These characters are not escaped : ~ ` ! @ # $ % ^ * ( ) _ - = + ? / \ | ; : . ,
These characters are escaped: < > ' " &
I don't know how to inject vaild xss in to either one since i don't know how to escape either one. And since i can't enter < > I can't input script tags between the <div> </div>
Aucun commentaire:
Enregistrer un commentaire