-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
trace() output not escaped properly before rendered into web page #81
Comments
This is a bug in https://github.com/markknol/console-log-viewer I'll fix this soon. |
It now logs html-tags correct: http://try.haxe.org/#F659f BUT it does not solve what's happening here. The <script><script>alert('yo man')</script> bla bla</script> This writes the everything after the first @clemos Should we blacklist something like this too? Since you can now break the script tag premature; I'm not sure if this is a potential security issue too. |
I guess I should not inline the generated JS in the "runner" iframe, that's all. |
Thanks for looking at this,. Two remarks: a) In Reference: https://mathiasbynens.be/notes/etago b) Re security: Whenever I'm able to inject code into a page like we have it here, I'd recommend to always treat it as security relevant, even when it actually seems not to be an exploitable thing. Why? Two reasons:
|
http://try.haxe.org/#e9c1E
This leads to an alert() being shown, which should not happen.
Instead, the string should be printed into the output window.
The text was updated successfully, but these errors were encountered: