mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
20 lines
566 B
JavaScript
20 lines
566 B
JavaScript
// XSS — negative fixture.
|
|
// Safe: HTML-escapes all special characters before output.
|
|
// Entry: renderPage(userInput) Cap: HTML_ESCAPE
|
|
// Expected verdict: NotConfirmed
|
|
|
|
function escapeHtml(str) {
|
|
return String(str)
|
|
.replace(/&/g, '&')
|
|
.replace(/</g, '<')
|
|
.replace(/>/g, '>')
|
|
.replace(/"/g, '"')
|
|
.replace(/'/g, ''');
|
|
}
|
|
|
|
function renderPage(userInput) {
|
|
const safe = escapeHtml(userInput);
|
|
process.stdout.write('<html><body>' + safe + '</body></html>\n');
|
|
}
|
|
|
|
module.exports = { renderPage };
|