mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
12 lines
482 B
JavaScript
12 lines
482 B
JavaScript
// XSS — positive fixture.
|
|
// Vulnerable: echoes raw user input into HTML output without escaping.
|
|
// Entry: renderPage(userInput) Cap: HTML_ESCAPE
|
|
// Expected verdict: Confirmed (<script>NYX_XSS_CONFIRMED</script> echoed)
|
|
|
|
function renderPage(userInput) {
|
|
process.stdout.write('__NYX_SINK_HIT__\n');
|
|
// Unescaped output — script tags pass through verbatim.
|
|
process.stdout.write('<html><body>' + userInput + '</body></html>\n');
|
|
}
|
|
|
|
module.exports = { renderPage };
|