Client XSS Exercise-1

Previous Next

Data Flow

Source of Data Data from Source Data to Sink Sink causing Execution
location.hash HTMLElement.innerHTML

Vulnerable Code


    let hash = location.hash;
    if (hash.length > 1) {
        let hashValueToUse = unescape(hash.substr(1));
        let msg = "Welcome <b>" + hashValueToUse + "</b>!!";
        document.getElementById("msgboard").innerHTML = msg;
    }