<?xml version="1.0" encoding="utf-8"?><feedxmlns="http://www.w3.org/2005/Atom"><generatoruri="https://jekyllrb.com/"version="4.0.0">Jekyll</generator><linkhref="http://localhost:4000/feed.xml"rel="self"type="application/atom+xml"/><linkhref="http://localhost:4000/"rel="alternate"type="text/html"/><updated>2020-04-25T12:49:41+00:00</updated><id>http://localhost:4000/feed.xml</id><entry><titletype="html">What is XSS?</title><linkhref="http://localhost:4000/2020/04/25/xss.html"rel="alternate"type="text/html"title="What is XSS?"/><published>2020-04-25T00:00:00+00:00</published><updated>2020-04-25T00:00:00+00:00</updated><id>http://localhost:4000/2020/04/25/xss</id><contenttype="html"xml:base="http://localhost:4000/2020/04/25/xss.html"><p>I found a cross-site scripting (XSS) attack
<?xml version="1.0" encoding="utf-8"?><feedxmlns="http://www.w3.org/2005/Atom"><generatoruri="https://jekyllrb.com/"version="4.0.0">Jekyll</generator><linkhref="http://localhost:4000/feed.xml"rel="self"type="application/atom+xml"/><linkhref="http://localhost:4000/"rel="alternate"type="text/html"/><updated>2020-04-25T13:05:38+00:00</updated><id>http://localhost:4000/feed.xml</id><entry><titletype="html">What is XSS?</title><linkhref="http://localhost:4000/2020/04/25/xss.html"rel="alternate"type="text/html"title="What is XSS?"/><published>2020-04-25T00:00:00+00:00</published><updated>2020-04-25T00:00:00+00:00</updated><id>http://localhost:4000/2020/04/25/xss</id><contenttype="html"xml:base="http://localhost:4000/2020/04/25/xss.html"><p>I found a cross-site scripting (XSS) attack
in a well-known quiz hosting website.
I disclosed the vulnerability to them years ago, so I thought
now might be a good time to write about it.</p>
@ -66,7 +66,8 @@ Internally this would be something like <code class="highlighter-rouge&q
but they would show up to a user as <code class="highlighter-rouge">&lt;</code>.</p>
<p>When inputs are not properly sanitized <em>and</em> the input is shown to the user in another part of the website,
then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed.</p>
then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed.
For example: a name for a quiz website (input) and the leaderboard for said quiz (display).</p>
<p>HTML, by itself is not very dangerous.
The worst thing you could do is probably put a link on your name,