no message

zhaojs

2023-07-17 93eb06506cc784b0c206239156dca53300f93e2b

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<!DOCTYPE HTML>
<html>
<head>
<meta charset="UTF-8">
<title>xss-test</title>
<script src="../dist/template-native.js"></script>
</head>
 
<body>
<div id="content"></div>
<script id="test" type="text/html">
<!--<img title="这是没转义的输出" src="<%=#url_0%>" />-->
<img src="<%=url_1%>" />
<img src="<%=url_2%>" />
<img src="<%=url_3%>" data-index="<%=index%>" />
</script>
 
<script>
var data = {
    url_0: 'http://mat1.gtimg.com/www/images/qq2012/qqlogo_1x.png?" onload="alert(\'no escape\')"',
    url_1: 'http://mat1.gtimg.com/www/images/qq2012/qqlogo_1x.png?" onload=alert(1)',
    url_2: 'http://mat1.gtimg.com/www/images/qq2012/qqlogo_1x.png?&#34; onload=alert(2)',
    url_3: 'http://mat1.gtimg.com/www/images/qq2012/qqlogo_1x.png?\\',
    index: '\\&quot;&#38;#34; onload=alert(2)'
};
var html = template('test', data);
document.getElementById('content').innerHTML = html;
</script>
</body>
</html>