No user-submitted input written on the page. They are just assigned to a harmless variable in the accompanying JavaScript code.

Enter your username:

HTML
CSS
JavaScript
<center>
Enter your username:
<p>
  <input type="text" id="input"/>
  <div id="screen"></div>
</p>
</center>

document.querySelector('#input').addEventListener('keyup', function(e) {
  if (e.keyCode === 13) {
    const input = document.querySelector('#input').value;
    const screen = document.querySelector('#screen');

    const script = document.createElement('script');
    script.type = 'text/javascript';
    const code = `
var user = '${input}';
document.querySelector('#screen').innerHTML = code;
`;
    try {
      script.appendChild(document.createTextNode(code));
      screen.appendChild(script);
    } catch (e) {
      script.text = code;
      screen.appendChild(script);
    }
  }
});
#input {
  font-size: 16px;
  height: 26px;
  width: 100%;
  margin-bottom: 10px;
  padding: 20px;
}
.applet-html {
  padding: 20px;
}
.applet {
  margin-bottom: 20px;
}

Takeaways and notes#

  • Eg: '-alert(1)-'
Tweet this | Share on LinkedIn |