|
|
|
@ -72,6 +72,7 @@ but they would show up to a user as `<`.
|
|
|
|
|
|
|
|
|
|
|
|
When inputs are not properly sanitized *and* the input is shown to the user in another part of the website,
|
|
|
|
When inputs are not properly sanitized *and* the input is shown to the user in another part of the website,
|
|
|
|
then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed.
|
|
|
|
then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed.
|
|
|
|
|
|
|
|
For example: a name for a quiz website (input) and the leaderboard for said quiz (display).
|
|
|
|
|
|
|
|
|
|
|
|
HTML, by itself is not very dangerous.
|
|
|
|
HTML, by itself is not very dangerous.
|
|
|
|
The worst thing you could do is probably put a link on your name,
|
|
|
|
The worst thing you could do is probably put a link on your name,
|
|
|
|
|
Tait Hoyem
4 years ago