Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
JavaScript injection example
<!DOCTYPE html>
<html>
<body>
<h1>Example Scenario</h1>
<p>Save this locally as an HTML file and try it out. Open it and then look in your Firebug
or developer console. More details here:
http://blog.alanszlosek.com/post/20077489479/tag-stripping-not-sufficient-to-prevent-javascript</p>
<p>What follows is an example of JavaScript injection. The real-world scenario might involve
a simple blog web application involving Title and Body fields. The submitted values can sneak past HTML
tag stripping functions like PHP's strip_tags(). I haven't tested against built-in tag-stripping
function found in other languages.</p>
<!-- Everything between the H2 tags was entered into the Blog Title field -->
<h2>Title with injection <script a="</h2>
<!-- Everything between the DIV tags was entered into the Blog Body field -->
<div>
">console.log('JavaScript successfully injected!');</script
</div>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment