Repl link: https://replit.com/@QwertyQwerty54/Repler
If you login then it takes you to a rickroll.
It seems to have an XSS issue, how can I fix that?
Someone (deffinitely not me) posted something like the following:
<script>window.location.replace('https://youtube.com/...')</script>
That means that because your site uses innerHTML to render the posts, when that post is loaded it runs the script, which then takes you to YouTube.
All you need to do is delete the post that contains that script and it will be fixed. But you should still fix it so that your site no longer has XXS vulnerabilities.
2 Likes
Thanks, how should I load the posts without using html?
1 Like
You should prefer textContent over innerHTML for this reason. Using textContent, would mean that a user cannot write HTML code like that as it would just be read as plain text rather than parsed into HTML.
2 Likes
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.