Data Flow
| Source of Data |
|
Data from Source |
|
Data to Sink |
|
Sink causing Execution |
| location.hash |
|
|
|
|
|
HTMLElement.innerHTML |
| window.name |
|
|
|
Vulnerable Code
let hash = location.hash;
let hashValueToUse = hash.length > 1 ? unescape(hash.substr(1)) : hash;
if (hashValueToUse.indexOf("=") > -1 ) {
hashValueToUse = hashValueToUse.substr(hashValueToUse.indexOf("=") + 1);
if (hashValueToUse.length > 1) {
hashValueToUse = hashValueToUse.substr(0, 10);
hashValueToUse = hashValueToUse.replace(/"/g, """);
let windowValueToUse = window.name.replace(/"/g, """);
let msg = "<a href=\"" + hashValueToUse + windowValueToUse + "\">Welcome</a>!!";
document.getElementById("msgboard").innerHTML = msg;
}
}