Data Flow
| Source of Data |
|
Data from Source |
|
Data to Sink |
|
Sink causing Execution |
| location.hash |
|
|
|
|
|
HTMLElement.innerHTML |
Vulnerable Code
let hash = location.hash;
let hashValueToUse = hash.length > 1 ? unescape(hash.substr(1)) : hash;
if (hashValueToUse.indexOf("=") > -1 ) {
hashValueToUse = hashValueToUse.substr(hashValueToUse.indexOf("=")+1);
hashValueToUse = hashValueToUse.replace(/</g, "<").replace(/>/g, ">");
let msg = "<a href='#user=" + hashValueToUse + "'>Welcome</a>!!";
document.getElementById("msgboard").innerHTML = msg;
}