TechQA.

Is this javascript code vulnerable to XSS

139 views Asked by At

I have a simple example.js file that that is included in a html <script src="example.js"></script>

'use strict';

function getURLParameter(name) {
  return new URLSearchParams(window.location.search).get(name)
}

function myFunction() {
    var myParam = '?my_param=' + getParam('my_param');
    $.ajax({
    cache: false,
    url: 'https://example.com' + clientParam,
    type: 'GET',
    [....]
}

Is the above javascript vulnerable to XSS ? I would have thought that var myParam = '?my_param=' + getParam('my_param') or even the part inside the avax call when doing the string concatenation would be but I can't break the string and the " gets replaced by '\"'

for example something as simple as this

https://mypage.com?my_param=test';alert(1);

I thought would replace var myParam = '?my_param=' + getParam('my_param'); by var myParam = '?my_param=test';alert(1);

javascript xss poc
Original Q&A
1

There are 1 answers

0
Quentin On BEST ANSWER

No.

JavaScript does not execute strings returned from functions as if they were JS source code. They are just strings.

Related Questions in JAVASCRIPT

Related Questions in XSS

Related Questions in POC

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions