PDA

View Full Version : XSS Payload- how to prevent js throwing an alert



tsensuous.grace
25 Jul 2018, 10:34 AM
I'm trying to encode the string:

using
Ext.util.Format.htmlEncode("localhost.loca<img src=x onerror=alert(1)>ldomain")
I also tried
Ext.String.htmlEncode, but this renders undefined for me, not sure how to fadd encoding to prevent js alerting on every error.

this is my code:


getAssetName: function() {
if (someCondition) {
return '<a href="#">' + Ext.util.Format.htmlEncode("localhost.loca<img src=x onerror=alert(1)>ldomain") + '</a>';
} else {
return '<span>' + Ext.util.Format.htmlEncode("localhost.loca<img src=x onerror=alert(1)>ldomain") + '</span>';
}
},