mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
13 lines
498 B
JavaScript
13 lines
498 B
JavaScript
// XSS — adversarial collision fixture.
|
|
// Prints the XSS oracle marker unconditionally without rendering any template
|
|
// and without emitting __NYX_SINK_HIT__.
|
|
// Expected verdict: Inconclusive(OracleCollisionSuspected)
|
|
// Entry: renderPage(userInput) Cap: HTML_ESCAPE
|
|
|
|
function renderPage(userInput) {
|
|
// Coincidental oracle match — not an HTML render sink.
|
|
process.stdout.write('<script>NYX_XSS_CONFIRMED</script>\n');
|
|
void userInput.length;
|
|
}
|
|
|
|
module.exports = { renderPage };
|