forked from lokori/flask-vuln
-
Notifications
You must be signed in to change notification settings - Fork 0
/
xss5.html
31 lines (24 loc) · 835 Bytes
/
xss5.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<html><body>
Mighty <div id='namediv'></div>, compose your email now:
<form>To: <input type='text'></input><br>
Subject: <input type='text'></input><br>
Content: <textarea></textarea><br>
<input type="button" value="Send!"/>
</form>
<!-- TODO: future, will get additional metadata from backend in JSON -->
<script>
var urlparser = new URLSearchParams(window.location.search);
var name = urlparser.get('name');
const xhr = new XMLHttpRequest();
xhr.open('GET', 'myson?name=' + name);
/* TODO: our API is still responding wrong MIME type :( Must fix security. */
xhr.responseType = 'json';
xhr.onload = function(e) {
if (this.status == 200) {
document.getElementById('namediv').innerHTML = this.response.name;
console.log('response', this.response);
}
};
xhr.send();
</script>
</body></html>